How hackers circumvent the MFA

MFA is a feature designed to keep hackers out. However, there are different ways they can get around it - here we'll highlight which ones.

13-04-2023 - 6 minute read. Posted in: hacking.

How hackers circumvent the MFA

The importance of multi-factor authentication (MFA) is constantly emphasized when talking about cybersecurity. And for good reason. Hackers have a harder time getting through the safety net of multi-factor authentication, but sometimes they succeed. Therefore, we bring to your attention the most typical ways hackers can bypass MFA.

MFA: A brief outline

Now that MFA is the main character of this blog post, it is appropriate to outline what it is. MFA stands for multi-factor authentication. It is a security measure that many people are introducing - both companies as well as private individuals. In addition, there are many services that have included MFA to protect their users from hacker attacks.

The essence of MFA is that a user must use two or more methods to verify their identity. In the past, and on some current websites, a username and password was enough to log into sites, but due to the increasing number of hacking cases, more companies and organizations are using MFA as an additional security measure.

There are three types of MFA used:

  • Knowledge: This is, for example, one-time passwords, a PIN code or a security question you should answer.
  • Possession: This is something you have, such as a phone where you have to authorize the login or a security key you possess.
  • Biometric: Biometric data is for example fingerprints, facial recognition or voice recognition.

MFA requires the use of at least two of these factors to log in to the respective page or user account.

It acts as a wall between the hacker and your personal data. If you only use single-factor authentication, you run a higher risk of being hacked, as the cybercriminals only need to crack the code to your user or email.

That's why many companies have implemented MFA to secure both the company and its employees. Another reason to use MFA is also that the less experienced hackers won't try to force their way in because it's too complicated. Only the experienced and seasoned hackers will try to break through the MFA wall.

How does the hacker get through?

There are a few different ways a hacker can break through the MFA wall:

Social Engineering

One of the most well-known methods used by hackers is social engineering. This method is about tricking or persuading the victim to do a certain action. It is often through authority or time pressure that the hacker gets their victim to click on links or download files. This type of hacking is often used when the hacker has already gained access to a victim's login credentials - they are doing social engineering to get past the MFA.

In addition, social engineering is often linked to phishing. The hacker pretends to be someone else, often someone the victim has a relationship with or wouldn't think of as legitimate (e.g. customer service). The hacker is either looking for personal information they can use to log in to different sites, or they install malware on the victim's device by attaching files or links. These files and links are the source of the malware.

Brute force attacks

In brute force attacks, hackers force access to profiles by trying out different codes for a user until they get in.

Therefore, it is a good idea not to have a PIN code as a login, as it is much easier for a hacker to find the four digits than a password. However, it should be said that ordinary passwords that we make up ourselves do not protect our accounts for long either, as it is easier for the hacker to figure out.

It is thus recommended to use password managers that create unique codes for each website you use. These passwords can e.g. look like this:


They are automatically generated every time you log in - they are one-time passwords, which are unique and are constantly regenerated.

Generated keys

The only disadvantage of password managers, such as Google Authenticator and Microsoft Authenticator, is that the user must have a list of manual security keys that are not generated every 30 seconds - in case something goes wrong with the keys.

If a hacker is really skilled, they can get hold of the list of security keys and thus gain access to a user's login. If these manual security keys are stored improperly, the hacker can easily access them. This could be, for example, if they are stored in a printed version or in a digital folder that is easy to access.

SIM card hacking

SIM card hacking is the compromise of a victim's SIM card by the hacker. The hacker gains unauthorized access to the victim's phone number. Typical techniques used by the hacker are:

  • SIM swapping
  • SIM cloning
  • SIM hacking

Once an attacker gains control of a victim's phone number, they can easily access the one-time passwords sent during login.

How you can strengthen MFA

By knowing the different entry points of MFA, you can strengthen it - and hopefully avoid giving the hacker the opportunity to get through.

Below we provide an overview of different measures and methods you can take to keep the hacker out:

  • Avoid short codes, including PIN codes, for one-time passwords. Use long and alphanumeric codes that are a combination of upper and lower case letters, as well as numbers and special characters.
  • Use biometric data as a code whenever possible. It is almost impossible for a hacker to get through a login wall if it requires your fingerprint or facial recognition.
  • Create a strong and unique password. It is much harder for a hacker to crack in brute force attacks.
  • Do not reuse passwords. If you use the same password for multiple websites, the hacker can get into the different websites if they figure out your login.
  • Avoid one-time SMS passwords as much as possible. SMS one-time passwords are one of the easiest MFAs to obtain.
  • Providers should have a maximum number of attempted MFA logins. If this is exceeded, you should be suspended for a period of time.

Concluding remarks

Finally, it is always good to have an overview of your IT systems. Once you know what the potential entry points are for the hacker, you can close them and make sure they can't get in.

Cybersecurity depends on the technical level, but more importantly, it depends on the human aspect. As you might read here, it's the human being that the hacker is trying to find weaknesses in. So, by having awareness training in the company, you can quickly get a better insight into cybersecurity as well as the mindset of the hacker.

Author Caroline Preisler

Caroline Preisler

Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.

View all posts by Caroline Preisler

Similar posts