Attacking MFA

What is it?

Multi-Factor Authentication (MFA) is a method of confirming a user's identity by using multiple pieces of evidence (factors), typically something they know (like a password), something they have (like a physical token or a mobile device), and something they are (like biometric data).

A simple example

A web application requests a password (first factor - something the user knows), then a one-time password sent to a mobile device (second factor - something the user has). An attacker could attempt to bypass MFA by stealing both the user's password and the OTP, or by exploiting vulnerabilities in the MFA implementation.

Common MFA bypass techniques can include:

  • Phishing attacks to collect both factors

  • Exploiting insecure backup/recovery methods

  • Man-in-the-middle attacks

  • Exploiting implementation weaknesses

Other learning resources:

  • OWASP:

  • Duo Security:

  • Google Authenticator:


Last updated