Although multi-factor authentication (MFA) has significantly improved account security, it is not invulnerable. An attacker may bypass the MFA and take over the account through the following vulnerabilities or technical means： --- ### **1. Social engineering attack** -**Phishing attack (MFA phishing)**： -Fake login pages to induce users to enter credentials and MFA codes (such as one-time password/OTP) and forward them to the attacker in real time. -Tools such as **Evilginx2** Can hijack MFA sessions through intermediaries. -**Voice phishing (Vishing)**: Impersonating customer service to trick users into providing MFA verification codes. -**SIM Card Swapping (SIM Swapping)**: Fraudulently obtain the user's mobile phone number through the operator and intercept the SMS/voice verification code. --- ### **2. Technical exploit** -**Session Hijacking (Session Hijacking)**： -Steal valid session cookies or tokens (such as through XSS, man-in-the-middle attacks) to bypass MFA authentication. -Some systems have valid sessions for the growth period after MFA verification, and lack regular re-verification. -**MFA fatigue attack (MFA Spamming)**： -Continuously send MFA push notifications (such as Microsoft Authenticator) to induce users to “approve” by mistake. -**Code leaked or reused**： -The OTP/TOTP code was intercepted by malicious software (such as the Android Trojan** Cerberus**). -Weak TOTP seeds (such as shared keys) or algorithm vulnerabilities (such as time synchronization issues). --- ### **3. Implementation defect** -**MFA bypasses logical vulnerabilities**： -Some systems do not require MFA when the password is reset, or allow bypass through an alternate mailbox/mobile phone. -API interface defect: Some API endpoints may not verify the MFA status (such as ** Twitter 2020 vulnerability**). -**Backup code abuse**： -Weakly generated backup codes (such as predictable sequences) or unlimited usage times. -**Device trust vulnerability**： -Relying too much on the ”Trust device" option, attackers steal the device ID through malicious software. --- ### **4. Physical attack** -**Equipment theft**： -Direct access to authenticated devices (such as phones with unlocked screens) or hardware tokens (such as YubiKey). -**Side channel attack**： -Analyze the residue of hardware token buttons through thermal imaging, or analyze the interaction of U2F devices through sound. --- ### **5. Protocol/design vulnerability** -**SMS/voice verification code defect**： -Text messages may be intercepted by SS7 protocol vulnerabilities or hijacked through VoIP services (such as Google Voice). -**FIDO/U2F dependency issues**： -If it is not implemented correctly, it may be bypassed due to browser vulnerabilities (such as abuse of the WebAuthn API). --- ### **6. Internal threats** -**Customer service hotline**： -The attacker pretended to be a user to reset the MFA through customer service social engineering (such as **Coinbase 2021 event**). -**Abuse of privileges**： -Insiders abuse their authority to directly disable or reset the user's MFA. --- ###**Defense suggestion** 1. **Priority is given to password-free authentication**: such as FIDO2/WebAuthn (anti-phishing hardware key). 2. **Restrict the MFA method**: Disable SMS and use TOTP or push notifications instead (to prevent fatigue attacks). 3. **Behavior analysis**: Detect abnormal logins (geographic location, device fingerprint). 4. **Session management**: Short-term session + dynamic re-verification. 5. **User education**: Be alert to unexpected MFA requests and disable backup code sharing. --- ###**Typical case** -**Uber intrusion in 2022**: The attacker obtained credentials through MFA fatigue attack + social worker. -**Twitter celebrity account takeover in 2020**: Use a loophole in the customer service process to bypass the MFA. The security of MFA is highly dependent on specific implementation and user behavior, and it needs to be combined with defense-in-depth (such as IP restrictions, device certificates) to effectively reduce risks.