Multi-Factor Authentication (MFA) protects accounts by requiring a second factor in addition to a password – such as an SMS code or an app confirmation. MFA bypass refers to techniques attackers use to specifically circumvent this protection. Even with MFA enabled, accounts can be compromised if the method used or the user's behavior contains weaknesses.
The attacker already has the username and password and automatically sends dozens of MFA push requests. The victim eventually approves by accident or exhaustion.
The attacker convinces the mobile provider to transfer the victim's phone number to their own SIM card – and thus receives all SMS codes.
A fake website forwards login credentials and MFA codes in real time. Tools like Evilginx automate this process entirely.
After a successful MFA login, malware steals the browser cookie. With this token, the attacker can skip the MFA challenge entirely.
The attacker calls the victim and poses as IT support, asking them to share the MFA code they just received – «for verification purposes».
Vulnerabilities in the outdated SS7 telephone protocol allow SMS messages to be intercepted – without any access to the victim's device.
The attacker knows your password and bombards you with MFA requests. Always click «Deny» – or see what happens if you tap «Approve» just once.
Not all MFA methods offer the same level of protection. From least to most secure:
Insecure: SMS codes – vulnerable to SIM swapping and SS7 attacks.
Medium: Authenticator apps (TOTP) – more secure than SMS, but still vulnerable to real-time phishing.
Secure: Hardware security keys (FIDO2/WebAuthn like YubiKey) – phishing-resistant, as the key is bound to the specific domain.
Secure: Passkeys – also phishing-resistant and password-free – the future of authentication.
1. Use hardware keys: Whenever possible, use FIDO2 security keys (e.g. YubiKey). They are immune to phishing and SIM swapping.
2. Question push requests critically: Never approve an MFA request you did not initiate yourself. An unexpected request means someone already has your password.
3. Replace SMS-MFA where possible: Switch to an authenticator app (Google Authenticator, Aegis, etc.) instead of relying on SMS codes.
4. Enable number matching: Many authenticator apps display a number that must match what's shown on the login screen – this makes push bombing significantly harder.
5. Strong, unique password: MFA only helps when the password is not the sole weak point. Combine both with a password manager.