7.3: MFA / 2FA

1. What It Is

Authentication = verifying identity. Traditionally this was just a password (single factor). But passwords alone are weak (guessing, brute force, reuse, phishing).

Multi-Factor Authentication (MFA) → requires more than one category of factor:

  • Something you know → password, PIN, answers to security questions.
  • Something you have → hardware token, mobile phone, smart card.
  • Something you are → biometrics (fingerprint, face, voice, iris).

Two-Factor Authentication (2FA) → specifically requires exactly two distinct factors.

  • Example: Password (something you know) + SMS OTP (something you have).

MFA is broader: could be two or more factors.

  • Example: Password + hardware key + biometric.

2. Types of MFA Methods

🟢 Stronger Options:

  1. FIDO2 / WebAuthn (Phishing-Resistant MFA)

    • Public/private key cryptography.
    • Hardware security keys (YubiKey, Feitian) or platform authenticators (Windows Hello, Touch ID).
    • Credentials bound to a domain → impossible to phish via proxy sites.

  2. Authenticator Apps (TOTP, HOTP, Push)

    • TOTP (Time-based One-Time Password): Rolling 6-digit codes (Google Authenticator, Authy, Microsoft Authenticator).
    • Push notification (Duo, Okta Verify): “Approve/Deny” prompts on phone.

  3. Smart Cards / PKI Certificates

    • Used in government/military and enterprises.
    • Hardware-backed cryptographic certificates.

🟡 Weaker Options:

  1. SMS-based OTP

    • Codes sent via text.
    • Vulnerable to SIM-swapping, SMS interception.

  2. Email-based OTP / links

    • Easy to phish.
    • Useful only as a fallback, not primary MFA.

3. How MFA Works (Typical Flow)

  1. User enters username + password.

    • First factor: something they know.

  2. MFA challenge triggered by IdP/app:

    • Send OTP via SMS/email.
    • Push notification to app.
    • Request FIDO2 key tap.

  3. Verification:

    • User provides code, approves push, or taps hardware token.

  4. Server validates second factor → if correct, grants session/token.

4. Best Practices for MFA

  • Favor phishing-resistant MFA: WebAuthn/FIDO2, smart cards.
  • App-based OTP > SMS: SMS is weak, use as last resort.
  • Enforce MFA for high-value accounts: Admin, root, financial, remote access (VPN, RDP, cloud).
  • Adaptive/Conditional MFA: Trigger MFA when risk is higher (new device, unusual location, impossible travel).
  • MFA Everywhere: Don’t limit to external access; enforce internally for critical systems.
  • Educate users: Teach about MFA fatigue and phishing risks.

5. Risks & Attack Techniques Against MFA

Even though MFA is powerful, attackers constantly work around it:

Common Attacks:

  1. MFA Fatigue / Push Bombing

    • Attacker spams push notifications until user accidentally clicks “Approve.”
    • Used in real-world breaches (e.g., Uber 2022).

  2. Phishing with Real-Time Proxy

    • Attacker sets up a fake login page → relays credentials + MFA code to the real site in real-time.
    • Tools: Evilginx, Modlishka.
    • Bypasses OTP, push, SMS.

  3. SIM-Swapping (for SMS MFA)

    • Social engineers mobile carrier to port victim’s number.
    • Attacker receives SMS OTPs.

  4. Man-in-the-Middle (MitM) Attacks

    • Capturing tokens/codes in transit.
    • Works if MFA is code-based (not phishing-resistant).

  5. Malware on endpoint

    • Steals session cookies or intercepts OTP before user enters it.

6. Mitigations Against MFA Bypass

  • Use phishing-resistant MFA (FIDO2/WebAuthn) → resistant to proxy/MitM.
  • Number matching in push notifications (Microsoft Authenticator, Duo) → prevents push fatigue.
  • Limit push retries → stop spamming.
  • Short-lived tokens → reduce replay attack window.
  • Session binding → tie tokens to device/session.
  • Conditional access → step-up MFA only when needed.
  • Privileged Access Management (PAM) → restrict where MFA bypass is allowed.

7. Examples of MFA Solutions

  • Microsoft Authenticator → push, TOTP, passwordless FIDO2.
  • Google Authenticator / Authy → TOTP.
  • Duo Security → push + adaptive MFA.
  • YubiKey / Feitian keys → hardware FIDO2/U2F.
  • Smart Cards (CAC/PIV) → government/enterprise PKI.

8. Analogy

Think of entering a secure building:

  • Password = Your ID card (easy to fake/steal).
  • MFA = ID card + key fob swipe (something you have).
  • Strong MFA = ID card + biometric fingerprint scan (something you are).
  • Without MFA → anyone with a fake ID card could walk in.

Key Takeaway:

MFA drastically reduces account takeover risk but is not bulletproof. Traditional OTP/SMS MFA can be bypassed by phishing, malware, or SIM-swaps. To truly harden defenses, organizations should move toward phishing-resistant MFA (FIDO2, WebAuthn, smart cards) and layer with detection & monitoring.

← 6.3: OWASP Top 10
8.3: Evidence Collection & Chain of Custody →