Two-factor authentication (2FA) is a great way to boost the security of your accounts. But even with that added layer of security, malicious actors are finding ways to break in. So-called adversary-in-the-middle attacks take advantage of weaker authentication methods to access accounts. Your two-factor and multi-factor authentication (MFA) may be weak, but, luckily, there’s something you can do about it.
How multi-factor authentication works
MFA uses two or more checkpoints to confirm a user’s identity for accessing an account or system. This is more secure than relying on just a username and password combination, especially given how easy many passwords are to crack, and how many have found their way onto the dark web. Passwords are often basic and repeated, so once a password has been compromised, it can be used to get into many accounts. That’s why it’s so important to use strong and unique passwords for each one of your accounts.
With MFA, a password isn’t enough. From here, the user has to validate their login using at least one additional piece of evidence, ideally that only they have access to. This can be a knowledge factor (a PIN), a possession factor (a code from an authenticator app), or an identity factor (a fingerprint).
Note that while 2FA and MFA are often used interchangeably, they aren’t necessarily the same thing. 2FA uses two factors to verify a user’s login, such as a password plus a security question or SMS code. With 2FA, both factors can something the user knows, like their password and a PIN.
MFA requires at least two factors, and they must be independent: a combination of a knowledge factor like a password, plus a biometric ID or a secure authenticator like a security key or one-time password. Generally, the more authentication factors needed, the greater the account security. But if all factors can be found on the same device, security is at risk if that device is hacked, lost, or stolen.
MFA can still be compromised
While having MFA enabled on your accounts can make you feel secure, some MFA methods can be compromised almost as easily as your usernames and passwords.
As Ars Technica reports, certain knowledge and possession factors are themselves susceptible to phishing. Attacks known as adversary-in-the-middle target authentication codes, such as those sent via SMS and email, as well as time-based one-time passwords from authenticator apps, allowing hackers to access your accounts through factors you’ve unknowingly handed them.
What do you think so far?
The attack works as follows: Bad actors send you a message saying that one of your accounts—Google, for example—has been compromised, with a link to log in and lock it down. The link looks real, as does the page you land on, but it is actually a phishing link connected to a proxy server. The server forwards the credentials you enter to the real Google site, which triggers a legitimate MFA request (and if you’ve set up MFA on your account, there’s no reason to believe this is suspicious). But when you enter the authentication code on the phishing site or approve the push notification, you’ve inadvertently given the hacker access to your account.
Adversary-in-the-middle is even easier to carry out thanks to phishing-as-a-service toolkits available in online forums.
How to maximize MFA security
To get the most out of MFA, consider switching from factors like SMS codes and push notifications to an authentication method that is more resistant to phishing. The best option is MFA based on WebAuthn credentials (biometrics or passkeys) that are stored on your device hardware or a physical security key like Yubikey. Authentication works only on the real URL and on or in proximity to the device, so adversary-in-the-middle attacks are nearly impossible.
In addition to switching up your MFA method, you should also be wary of the usual phishing red flags. Like many phishing schemes, MFA attacks prey on the user’s emotions or anxiety about their account being compromised and the sense of urgency to resolve the problem. Never click links in messages from unknown senders, and don’t react to supposed security issues without checking their legitimacy first.
