Multi-factor authentication is the most frequently recommended security control in existence — and also one of the most frequently implemented in ways that provide a false sense of security. Not all MFA is equivalent. SMS-based OTP, the most widely deployed form of MFA, can be bypassed through attacks that are well within the capability of financially motivated cybercriminal groups. Understanding the threat model for each MFA type is essential to choosing the right implementation for your organization.
Why SMS OTP Is Weak
SIM Swapping
SIM swapping is a social engineering attack against mobile carriers. The attacker contacts the victim's carrier, impersonates the victim using personally identifiable information obtained from data breaches or social media, and convinces the carrier to transfer the victim's phone number to a SIM card the attacker controls. All SMS messages — including OTP codes — now go to the attacker's phone. SIM swapping has been used to compromise cryptocurrency accounts, email accounts, and corporate VPNs. High-profile cases include the 2020 Twitter breach, where the attacker leveraged SIM swapping as part of the compromise chain.
SS7 Protocol Attacks
The SS7 (Signaling System No. 7) protocol that underlies global phone network routing has known vulnerabilities that allow attackers with access to the SS7 network (accessible to nation-state actors and well-resourced criminal groups) to intercept SMS messages without any cooperation from the carrier. This attack is technically demanding but has been demonstrated in live environments by security researchers and reportedly used by intelligence agencies.
TOTP and Real-Time Phishing
Time-based One-Time Passwords (TOTP), implemented per RFC 6238 and used by apps like Google Authenticator and Authy, are significantly stronger than SMS. TOTP codes are generated locally on the device without any carrier involvement, eliminating SIM swap and SS7 attack vectors.
However, TOTP is susceptible to real-time phishing proxies. Tools like Evilginx2 act as a transparent reverse proxy: the victim lands on a convincing phishing page, enters their credentials and TOTP code, and the proxy relays those credentials to the legitimate site in real time — capturing the authenticated session cookie before the TOTP code expires. The attacker now has a valid session cookie that bypasses MFA entirely. This attack is widely used in targeted phishing campaigns and requires no special capabilities beyond setting up a phishing infrastructure.
Push Bombing Against Authenticator Apps
Authenticator apps that use push notifications (Microsoft Authenticator, Duo) are vulnerable to a fatigue attack: the attacker, having obtained the victim's credentials, repeatedly triggers authentication push notifications until the victim, confused or frustrated, approves one. This attack has been used successfully against organizations with mature security programs, including the 2022 Uber breach where an attacker combined credential stuffing with push bombing after contacting the victim via WhatsApp claiming to be IT support.
Mitigations include enabling number matching (the app displays a number that matches the one on the login screen, requiring cognitive engagement), and adding additional context to push notifications showing the login location and application being accessed.
FIDO2/WebAuthn: The Phishing-Resistant Standard
FIDO2 and WebAuthn represent a fundamentally different authentication architecture that eliminates phishing as an attack vector by design. The core mechanism is origin binding: during authentication, the authenticator cryptographically signs a challenge that includes the origin (domain) of the website requesting authentication. A phishing site at micros0ft-login.com cannot receive a valid FIDO2 assertion intended for microsoft.com — the signature would be invalid because the origin does not match.
FIDO2 authenticators come in two primary forms:
- Hardware security keys: Physical USB/NFC devices like YubiKey 5 Series, Google Titan Key. The private key is stored in tamper-resistant hardware and never leaves the device. These are the strongest option available and provide protection even against device compromise.
- Platform passkeys: Credentials stored in the secure enclave of a device (Apple Face ID/Touch ID, Windows Hello, Android biometrics). Device-bound or synced across the platform ecosystem (iCloud Keychain, Google Password Manager). More convenient than hardware keys but synced passkeys are accessible from any enrolled device in the account.
NIST and Regulatory Guidance
NIST SP 800-63B defines three Authenticator Assurance Levels (AAL). AAL1 permits single-factor; AAL2 requires MFA; AAL3 requires hardware-bound phishing-resistant authenticators (FIDO2 hardware tokens or smart cards). Federal systems handling sensitive data require AAL3. CISA's joint phishing guidance identifies SMS/voice MFA and push-notification MFA without number matching as weak forms of MFA, and recommends prioritizing phishing-resistant (FIDO or PKI-based) MFA for administrator and privileged user accounts (CISA/NSA/FBI/MS-ISAC, Phishing Guidance: Stopping the Attack Cycle at Phase One, October 2023). OMB M-22-09 mandated phishing-resistant MFA for all federal employees and contractors.
PCI DSS v4.0.1 Requirement 8.5.1 requires MFA for all non-console administrative access to the cardholder data environment, and the guidance specifically recommends phishing-resistant methods for high-privilege accounts.
Implementation Guidance
For most organizations, a practical path to strong MFA is: enforce TOTP or hardware keys for all accounts immediately (eliminating SMS OTP), deploy hardware security keys for privileged accounts and executives (highest phishing risk), and enable phishing-resistant passkeys as primary authentication for cloud services supporting them (Microsoft Entra ID, Google Workspace). Penetration testing of your authentication infrastructure will reveal which systems are still exposing MFA bypass opportunities. Contact Fortress to discuss MFA architecture review.