Status: Final
Multi-Factor Authentication (MFA) is the primary defense against credential theft. But not all MFA is equal — phishing resistance, deployment complexity, and user experience vary enormously across technologies. This page is the reference for understanding, evaluating, and attacking MFA in enterprise environments.
The Core Problem MFA Solves
A stolen password is sufficient for authentication without MFA. With MFA, an attacker needs both the password and the second factor. The strength of MFA depends entirely on whether the second factor can be:
- Intercepted in transit (phished via real-time proxy)
- Socially engineered (MFA fatigue, pretexting)
- Technically bypassed (session token theft post-authentication)
- Stolen in bulk (data breach, infostealer)
MFA Factor Categories
| Category | What you have | Examples |
|---|
| Something you know | Password, PIN, security question | Not MFA on its own |
| Something you have | Phone, hardware key, smart card | TOTP app, YubiKey, PIV card |
| Something you are | Biometric | Fingerprint, Face ID, iris |
| Context | Device posture, location, behavior | Part of risk-based auth, not true MFA alone |
True MFA requires two different categories.
Factor-by-Factor Analysis
TOTP (Time-based One-Time Password) — RFC 6238
| Property | Value |
|---|
| Standard | RFC 6238 (TOTP), based on RFC 4226 (HOTP) |
| Code | 6-digit, rotates every 30 seconds |
| Seed | Shared secret between authenticator app and server |
| Apps | Google Authenticator, Authy, Microsoft Authenticator, 1Password |
| Phishing-resistant | No — real-time AiTM proxy can relay the code before it expires |
| Offline-capable | Yes — works without internet |
TOTP is better than SMS but bypassable with AiTM toolkits (Evilginx2, Modlishka, Muraena).
HOTP (HMAC-based One-Time Password) — RFC 4226
| Property | Value |
|---|
| Standard | RFC 4226 |
| Code | 6-8 digit, counter-based (increments per use) |
| Sync | Lookahead window required (codes can drift) |
| Hardware | YubiKey OTP mode, RSA SecurID hardware tokens |
| Phishing-resistant | No — same interception risk as TOTP |
Push MFA
| Property | Value |
|---|
| How | App notification → user taps Approve/Deny |
| Apps | Duo Push, Microsoft Authenticator push, Okta Verify push |
| Phishing-resistant | No — MFA fatigue, accidental approval |
| Number matching | Significantly raises the bar — user must enter a code shown during auth |
| Location context | Shows location in push — user can verify |
Push MFA without number matching is the primary target of MFA fatigue attacks.
SMS OTP
| Property | Value |
|---|
| How | One-time code sent via SMS |
| Phishing-resistant | No — SIM swap, SS7 interception, AiTM relay |
| Regulated environments | NIST 800-63B removed SMS as "restricted" authenticator |
| Still widely used | Highest legacy deployment base |
SMS OTP is the weakest MFA factor in use. SIM swap fraud is a real, documented attack vector.
Email OTP
| Property | Value |
|---|
| How | One-time code or magic link sent to email |
| Phishing-resistant | No — email account compromise breaks this factor |
| Weakness | Factor reduces to email account security |
Smart Card / PIV
| Property | Value |
|---|
| Standard | FIDO2 for hardware binding; PIV (NIST SP 800-73) for government |
| Credential | X.509 certificate + private key on card |
| Authentication | Card signs challenge; private key never leaves card |
| Phishing-resistant | Yes — challenge-response is origin-agnostic but key doesn't leave hardware |
| Deployment complexity | High — PKI, card readers, certificate issuance |
| Government use | US federal standard (CAC, PIV) |
FIDO2 / WebAuthn / Security Keys
| Property | Value |
|---|
| Standard | FIDO2 (WebAuthn + CTAP2) |
| Phishing-resistant | Yes — origin binding prevents relay |
| Credential | Asymmetric key pair; private key on hardware or platform |
| Hardware keys | YubiKey, Google Titan Key, Feitian |
| Platform | Windows Hello, Touch ID, Android biometric |
| Enterprise deployment | Entra ID, Okta, Duo all support FIDO2 |
The gold standard for phishing resistance. See FIDO2 / WebAuthn for full detail.
Passkeys
Synced FIDO2 credentials. Same phishing resistance as hardware FIDO2, but credential syncs across devices via iCloud/Google/Microsoft. See Passkeys.
Biometrics
| Property | Value |
|---|
| How | Fingerprint, face, iris scan |
| Used as | Unlock a platform authenticator (not sent to server) |
| Phishing-resistant | Depends on what it unlocks — usually FIDO2 key (phishing-resistant) or device login |
| Weaknesses | Spoofing, enrollment capture, liveness bypass, legal compellability |
Biometrics authenticate the user to the device; the device then performs the actual cryptographic authentication.
Phishing Resistance Summary
| Factor | Real-time AiTM bypass | MFA fatigue | SIM swap | Key theft |
|---|
| SMS OTP | Yes | N/A | Yes | N/A |
| Email OTP | Yes | N/A | N/A | Yes (email compromise) |
| TOTP | Yes | N/A | N/A | Seed theft |
| HOTP | Yes | N/A | N/A | Seed theft |
| Push MFA (no number match) | Yes | Yes | N/A | N/A |
| Push MFA (with number match) | Hard | Hard | N/A | N/A |
| Smart card / PIV | No | N/A | N/A | Card theft + PIN |
| FIDO2 hardware key | No | No | N/A | Physical key theft |
| Passkeys | No | No | N/A | Cloud sync account compromise |
MFA Vendors
| Vendor | Primary Products |
|---|
| Microsoft | Microsoft Authenticator, Windows Hello for Business, Entra ID MFA |
| Duo Security (Cisco) | Duo Push, Duo hardware tokens, FIDO2 support, RADIUS/AD integration |
| Yubico | YubiKey (FIDO2, PIV, TOTP, HOTP, OTP modes) |
| Google | Google Authenticator, Titan Security Key, Workspace MFA |
| RSA Security | RSA SecurID (TOTP hardware token, authenticator app) |
| Okta | Okta Verify (push + TOTP), FIDO2 support, FastPass (passwordless) |
| Authy (Twilio) | TOTP app with cloud backup |
MFA in Entra ID (Microsoft)
Entra ID Conditional Access MFA policy enforces authentication strength per scenario. The Authentication Strengths feature allows requiring phishing-resistant MFA specifically:
| Authentication Strength | Methods |
|---|
| Multifactor authentication | Password + any MFA (including SMS, push) |
| Passwordless MFA | Passwordless phone sign-in, FIDO2, Windows Hello |
| Phishing-resistant MFA | FIDO2 keys, Windows Hello for Business, certificate-based auth |
Detection Signals for MFA Events
| Signal | Detection Value |
|---|
| Failed MFA challenge (repeated) | Password spray or MFA fatigue attempt |
| MFA method change (FIDO2 → SMS) | Security downgrade — verify with user |
| New MFA device registration | Could be attacker registering backdoor factor |
| MFA bypass via legacy auth | Legacy protocol used to skip MFA |
| Risk-based MFA triggered for high-value user | User session may be compromised |
Cross-Links