How hackers bypass multi-factor authentication

While multi-factor authentication (MFA), also called 2FA or two-factor-authentication, is an excellent way to add an additional layer of security atop user login credentials, it is far from foolproof. This article shows how hackers bypass multi-factor authentication using social engineering, and how users can stay off the hook.

Post hero image

Table of contents

While multi-factor authentication (MFA), also called 2FA or two-factor-authentication, is an excellent way to add an additional layer of security atop user login credentials, it is far from foolproof. This article shows how hackers bypass multi-factor authentication using social engineering, and how users can stay off the hook.

At first glance, MFA seems ingenious and impenetrable. Logins require user credentials followed by access to the phone the account is connected to. The idea is that credentials can be easily stolen online, but phones cannot.

This will surely thwart attackers, right? Wrong.

Malicious actors are always developing new tactics and social engineering tricks to gain access to your precious data. Multi-factor authentication systems are constantly stress-tested by security researchers and malicious actors alike. A wide range of vulnerabilities (discussed further in this article) such as bypassing MFA via conventional session management and by using OAuth, have been found and mostly patched. But as MFA poses a great threat to malicious actors, they are scrambling to find new methods to bypass it.

New campaigns use social engineering to bypass MFA

Phishing messages such as the one depicted below are extremely common. The link directs victims to a site asking for login credentials in order to access the file in question. This is a classic credential harvesting phishing attack.

But with MFA becoming widely adopted, the credentials alone may not be useful for attackers in many cases.

This campaign led the victim to a typical fake Microsoft login page used for credential harvesting. But instead of redirecting the user elsewhere after harvesting the credentials, the site asked for an authenticator code. The malicious actor has anticipated MFA and is basically asking the victim to hand-deliver the code!

Should the authenticator code be given, the attackers would get an alert, and they’d have to quickly log in using the code in order to use it before it times out. After inputting the code, the site will load and then ask for another code, possibly giving the attackers another chance to log in.

This method requires much manual labor, greatly restricting the amount of credentials attackers can harvest. But it is still effective in getting past MFA defences. And remember that in many cases, credentials to just one account can lead to compromise of entire systems, and enormous losses for a business.

Scalability issues

Multi-factor authentication has been a great method for de-escalation of cyberattacks. Credential phishing is extremely simple and scalable, but now that manual labor is required for each account, the attacks do not scale as well. But hackers, always inventive, have developed a number of services recently that automate authenticator code phishing to scale back up again.

Easy-to-operate bots such as SMSRanger and BloodOTPbot have entered the market. These bots can be used with simple commands and offer unique scripts aimed at different services. Once an attacker has successfully harvested someone’s credentials, the bots are given the target’s phone number. The bot automatically calls the target using a well thought-out social engineering script, which eventually asks the victim for an authentication code. Should the victim enter the code, the bot will forward it directly to the malicious actor.

These bots will only get smarter and more dangerous. As the authentication codes expire quickly, manual labor and quick actions are still required. Once logged in however, the malicious actor is no longer in such a rush. Therefore, more sophisticated bots are expected to emerge in the near future that can automatically log in using the harvested codes.

Authentication via code vs. notification

Multi-factor authentication is implemented in various ways across different services. Some services allow authentication codes sent via text messages, some use emails, and some use mobile applications.

Text message are the least secure option. Did you know that the protocol used in text message delivery is very outdated? Text messages are not encrypted; but rather sent in clear text, where the security is largely based on mutual trust. Therefore authentication via text messages is highly discouraged.

The method universally accepted as most secure is via external authenticator app. External authenticator apps like Microsoft Authenticator or Google Authenticator don’t use codes, so no codes can be intercepted. Instead, the user is required to accept a request popping up on their device. In theory, this ensures that the user truly must physically hold the phone in order to approve a login.

However, even this method is susceptible to an ambush with a well-planned attack. For example, a similar attack as explained above would just require even better timing and planning; e.g. a call from a Microsoft impersonator asking you to confirm your identity by accepting an authenticator push notification triggered by the attacker’s attempt to log in to your account.

Physical authentication keys – the most secure option

Physical authentication keys are dedicated authentication devices. They offer a further layer of security by removing the authentication process from an employee’s phone. Physical authentication keys are inaccessible to malicious actors from a distance. They involve no codes and thus no codes can be intercepted, making these authentication devices clearly the most secure option.

Phones contain access to large amounts of personal information, from email and password managers to company intranets and authentication apps. Phones can be hacked. As such, phones are an increasingly tempting target for malicious actors, and phishing and malware targeted at mobile devices is clearly on the rise.

How to stay off the hook

Although we’ve outlined vulnerabilities in these systems, MFA when correctly used is still a very good defence against malicious actors. Here’s some tips to keep in mind:

  • Use authenticator apps like Google or Microsoft Authenticator whenever possible instead of email or text message codes.
  • Deny authenticator notifications by default.
  • Try not to accept requests by muscle memory. Instead take your time to ensure the request is made by you and the requesting domain is legitimate.
  • Consider using a physical security key as an alternative form of authentication used in 2FA.

Read more about secure sign-in


Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our security awareness training for employees stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this