Skip to content

Multi-Factor Authentication Basics and How MFA Can Be Hacked

Multi-Factor Authentication Basics and How MFA Can Be Hacked

Identity theft is one of the main ways in which cyber-criminals can profit from hacking other people. Once you take on someone else’s identity, you can access anything they have, and we all know what happens next. Even if someone does not victimize you directly, they may use you as a “middle step” with which to hack others. Apart from the moral problems, this also means that you could be suspected of their crimes! Identity verification (especially online) is so important these days that its value cannot be overstated. But what is it? How does multi-factor authentication (MFA) work? And can MFA be hacked?

Key Takeaways

  1. Multi-Factor Authentication (MFA): MFA uses multiple identity verification methods, like passwords, IDs, and biometrics, enhancing security.
  2. Effectiveness of MFA: It’s essential in security but not foolproof. About 57% of businesses use MFA, and while Microsoft and Google cite high effectiveness (up to 99.9%), real figures may differ.
  3. Hacking MFA: Hacking methods include social engineering (phishing), technical manipulation (stealing session tokens), or mixed approaches.
  4. Safety and Informedness: Prioritize online safety, avoid clicking email links, and stay informed about cybersecurity. Seek IT support for added protection.

What Is Multi-Factor Authentication?

Time for some multi-factor authentication basics. Multi-factor authentication (or MFA) is just a basic security concept that can be applied in many ways. It simply involves the use of more than one method to verify someone’s identity. So, for instance, if someone has to present an ID card and also scan a fingerprint, that would be a physical example of MFA. A more common example would be CAPTCHA verification on various websites combined with phone verification.

There is one other thing to understand. All forms of authentication can be boiled down to three types:

  • Knowledge-based: This is a form of verification based on something that the person knows. Passwords are one example, as are security questions and PIN numbers
  • Possession-based: This is a method of verification based on something that the user has. This could be an ID card, a phone, or maybe a piece of software on a USB stick
  • Biometric: This is a method of verification based on what you are. Fingerprint, handprint, or retinal scan identification are all part of this category

Any good MFA plan should utilize more than one of these methods. For instance, if you verify people with a mixture of passwords and security questions, that isn’t good enough. In that case, you would only be using knowledge-based methods and neglecting the other two.

Is MFA Effective In Preventing Identity Theft?

Multi-factor authentication does seem to be pretty effective. This shouldn’t be a surprise when you consider that so many big companies are using this technology. However, you should not get too comfortable. MFA is not a “magic bullet” that can just eliminate your problems in one step. However, it is an essential part of a good security strategy. This is why you should always insist on strong MFA from those providing your computer IT services.

Let’s try to get some definite figures and see just how effective MFA is (or isn’t). This research would seem to indicate that roughly 57% of all businesses use MFA. Obviously, not all of them use it to the same degree. This number isn’t bad, but much improvement needs to be made. At the present, a lot of MFA solutions have not been streamlined enough. As a result, they can annoy a lot of people, which is probably why 43% of businesses opted to forego MFA. Still, it seems that the use of this tech has increased by 12% in the last year, so that is definitely a positive trend.

Both Microsoft and Google have given some extremely high numbers regarding the effectiveness of MFA. In fact, the numbers are so good that we don’t entirely believe them. For instance, Microsoft says that MFA makes any security verification scheme 99.9% more effective. As far as we can tell, these numbers are based on the fact that 99.9% of the compromised accounts they found were not using MFA. Needless to say, their logic is somewhat flawed here. Google gave a slightly more realistic figure at 76-96%.

We think that these two companies (who are not known for good security) are inflating the numbers to put the minds of their customers at ease. Nevertheless, they wouldn’t be able to bump those numbers up too much without someone noticing. Thus, it is safe to say that MFA, while not infallible, does prevent many potential attacks.

Hacking Multi-Factor Authentication

Unfortunately, people have found a lot of different methods for hacking MFA. If they can find a single unsecured account, it could be used as a stepping stone for further breaches. If someone can manage to obtain multiple types of credentials from you (over time), then MFA is not likely to stop them. However, most thieves and hackers won’t go to that much trouble.

There is a guide that outlines a series of penetration tests. These were done specifically to test the reliability of MFA. Not surprisingly, they found that these methods could often be hacked. MFA hacking methods can be classified into one of three categories:


Hacking Method Description
Social Engineering Deceptive tactics to trick users into revealing credentials, often via phishing emails.
Technical Manipulation Involves direct manipulation of technology, like stealing session tokens, compromising security.
Mixed Methods A combination of social engineering and technical manipulation, exploiting both human and system vulnerabilities.


Social hacks (also called social engineering hacks) are basically just old-fashioned deception techniques. Instead of trying to backdoor their way past your security barriers, they will try to trick you into giving up those credentials. Phishing emails remain the most common way to do this, as many people still haven’t learned to be careful about clicking email links.

Seriously, never click a link directly from your email. If you must open the link, paste the URL into notepad and check to make sure its destination is correct. For instance, if the email said to click a link in order to reset your online banking password, but the URL doesn’t go to your bank’s official site, you are probably looking at a phishing link.

Technical hacks are a little more complicated. They involve careful manipulation of the technology itself. For instance, people can hijack your Windows session by stealing a file called a “token.” If they can manage to steal this (either by using the network or through physical access), they can hijack your sessions at will. These sessions all have a unique identifying number, but this can sometimes be predicted using an algorithm. Mixed hacks, of course, involve a mixture of social and technical methods.


There you have it: Useful multi-factor authentication basics. We hope that you will read over the information carefully, including the extensive information provided in our last link. This stuff might be a little complicated, but it is well worth the effort to learn. We are talking about your safety here, so don’t think you don’t need to be informed. If you would like to be a little more informed, or if you need a good IT support provider, you can call PCH Technologies at (856) 754-7500.