How to hack 2FA: 5 basic attack methods explained

As two-factor authentication becomes more widespread, criminals seek novel ways to subvert it. Here's what you need to know.

Multifactor authentication  >  Mobile phone verification of a permission request for laptop login.
Aurilaki / Your Photo / Getty Images

Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice. As Roger Grimes wrote in this article about two-factor hacks three years ago, when MFA is done well it can be effective, but when IT managers take shortcuts it can be a disaster. And while more businesses are using more MFA methods to protect user logins, it still is far from universal. Indeed, according to a survey conducted by Microsoft last year, 99.9% of compromised accounts did not use MFA at all and only 11% of enterprise accounts are protected by some MFA method.

The pandemic was both good and bad for MFA uptake. By uprooting so many business users' normal computing patterns, lockdowns and remote work provided an opportunity for increased MFA deployments—even as it provided new phishing lures for hackers.

According to surveys done by Garrett Bekker, a senior research analyst for S&P Global Market Intelligence’s 451 Research, there was a jump in those enterprises deploying MFA—from about half in last year's survey to 61% in this year's survey—“mainly because so many more people were working remotely. Still, most enterprises only have limited MFA usage,” he says. “But it has become their first priority going forward, even more so than VPNs.”

In the latest Verizon Data Breach Investigations Report, Bernard Wilson, network intrusion response manager for the US Secret Service, said, “Organizations that neglected to implement MFA, along with virtual private networks, represented a significant percentage of victims targeted during the pandemic.”

Besides COVID, there have been other recent pushes to use MFA:

To continue reading this article register now

How to choose a SIEM solution: 11 key features and considerations