882 words
4 minutes
Multifactor Authentication
2023-08-30
2025-03-27
Cybersecurity
2fa

ℹ️ Multifactor authentication (MFA) is a method of computer security that requires the user to provide at least two distinct types of information to verify their identity. These factors generally fall into three categories:

(Source: apog.net)

  • Knowledge Factors Something you know : This is usually a password or a PIN. While familiar, knowledge factors alone are highly vulnerable. Attackers can employ techniques such as brute force methods to generate random combinations, credential stuffing using stolen credentials from other breaches, phishing emails that trick victims into revealing credentials, keylogging to capture keystrokes, and man-in-the-middle attacks that intercept communications.

  • Possession Factors Something you have : A physical device, such as a phone or a security key (e.g., YubiKey), that generates a unique code or receives an authentication message. Possession factors significantly enhance security because attackers would need both your credentials and physical access to your authentication device. Security keys based on the FIDO2 standard represent some of the strongest possession factors available today, often incorporating biometric verification for additional protection.

  • Inherence Factors Something you are : Biometric characteristics, such as fingerprints, facial recognition, or iris scanning. Biometric factors are particularly difficult to forge or replicate, making them highly secure components in an MFA strategy. However, unlike passwords, biometrics cannot be changed if compromised, creating unique security considerations.

Even if one factor is compromised, an attacker would still need access to other factors to successfully authenticate. This reduces the risks associated with brute force attacks and phishing attempts, thereby strengthening account protection.

Strong passwords but no cookies ?

Everyone talks about passwords, the importance of choosing strong ones and managing them with a password manager. However, multi-factor authentication (MFA) doesn’t protect you from account session takeovers. Attackers who steal your cookies can gain access to an active session, effectively bypassing the need for login credentials (user and password) and MFA, regardless of the authentication method used.

MFA Authentication Protocols and Methods#

Various protocols enable the technical implementation of MFA:

Time-Based One-Time Password (TOTP)#

TOTP generates a one-time password using the current time as a source of uniqueness. Standardized as RFC 6238, it works as follows:

  • A shared secret is established between client and server
  • The current time (divided by a time step, typically 30 seconds) is used as a counter
  • The HMAC-SHA-1 algorithm combines the counter with the shared secret
  • The resulting hash is truncated to create a human-readable code.

TOTP offers security advantages through short-lived codes, typically expiring after 30-60 seconds.

HMAC-Based One-Time Password (HOTP)#

Unlike TOTP, HOTP relies on an event-based algorithm where a counter increments with each OTP request. This method offers more flexibility since codes don’t expire until used, but this extended validity period potentially reduces security.

The typical HOTP flow includes:

  • Establishing a shared secret and initial counter between server and client
  • Combining the current counter with the shared secret using HMAC-SHA-1
  • Truncating the resulting hash to create a readable OTP
  • Incrementing the counter on both sides after use.

Push Notifications#

Many MFA implementations use push notifications sent directly to a mobile device. When attempting to log in, the user receives a notification asking them to approve the authentication request. According to Okta’s (IAM Leader) Secure Sign-In Trends Report, push notifications have emerged as the most commonly employed MFA method, followed by SMS notifications and soft tokens.

MFA Architecture and Implementation#

A MFA system consists of several key components:

  • Authentication Server: The central component managing the verification process
  • User Database: Securely storing credentials and authentication factors
  • Client Device: The user’s device attempting to access the system
  • Authentication Factors: Various verification methods
  • Communication Channels: Pathways for transmitting authentication factors
  • Policy Engine: Defining authentication rules and when MFA is triggered
  • Logging and Monitoring: Tracking authentication attempts to detect suspicious activity.

Authentication Flow#

The typical MFA authentication process follows these steps:

  • User Initiates Login: The user enters username and password
  • Authentication Server Checks Credentials: Server verifies the password against stored credentials
  • Second Factor Prompt: If first factor is correct, the system requests a second authentication factor
  • User Provides Second Factor: User submits the required additional verification
  • Final Verification: Server validates the second factor and grants access if all verifications pass.

Adaptive MFA#

Advanced MFA solutions support adaptive authentication, which uses contextual information (location, time-of-day, IP address, device type) and business rules to determine which authentication factors to apply in a particular situation based on an account/identity behavior detection. For example, a customer accessing an online banking site from a trusted home computer might only need a username and password, while access from a foreign location would trigger additional verification requirements.

Common MFA Bypass Techniques#

  • MFA Fatigue: Also known as “prompt bombing,” this involves overwhelming users with repeated authentication notifications until they approve one out of frustration.
  • Session Hijacking/Account session takeover: Attackers steal authentication cookies to take over an active session without encountering MFA checkpoints.
  • Man-in-the-Middle Attacks: Intercepting communications between the user and authentication system to capture and replay credentials or session tokens.
  • Social Engineering: Manipulating users into revealing authentication information or approving fraudulent authentication requests.
  • SIM Swapping: Convincing mobile carriers to transfer a victim’s phone number to an attacker-controlled SIM card, enabling interception of SMS verification codes (not releavant anymore).
  • Infrastructure Attacks: Targeting core authentication infrastructure, such as stealing private signing keys or exploiting architectural weaknesses that allow MFA to be bypassed when offline.

Sources & Links#

Title of WebsiteLink
TechTarget: What is multifactor authentication (MFA)?https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA
CyberArk: What Is Multi-Factor Authentication (MFA)?https://www.cyberark.com/fr/what-is/mfa/
Trava Security: What Is an Example of a Multifactor Authentication Method?https://travasecurity.com/learn-with-trava/articles/what-is-an-example-of-a-multifactor-authentication-method/
TechTarget: What is possession factor?https://www.techtarget.com/searchsecurity/definition/possession-factor
Reddit: ELI5: What are passkeys and how do they differ from passwords?https://www.reddit.com/r/explainlikeimfive/comments/16tjg57/eli5_what_are_passkeys_and_how_do_they_differ/
Wikipedia: Time-based one-time passwordhttps://en.wikipedia.org/wiki/Time-based_one-time_password
Prelude: TOTP vs HOTPhttps://prelude.so/blog/totp-vs-hotp
Multifactor Authentication
https://xsec.fr/posts/cybersecurity/multifactor-authentification/
Author
Xsec
Published at
2023-08-30
License
CC BY-NC-SA 4.0
Maximizing Windows Defender Protection
Email aliases, take back control of your mails
© 2025 Xsec. / RSS / Legal mentions