Two-Factor Auth Isn't The Shield You Think It Is

You enabled two-factor authentication. That is a good step.

Most security guides miss one thing. The biggest account thefts over the last three years did not crack your code. Attackers found ways to make you hand it over or made the step useless.

Here are the three main ways attackers bypass your 2FA:

  1. MFA Fatigue Attackers use your stolen username and password to trigger push notifications. They send dozens of requests overnight. Most people tap "Approve" just to make the noise stop. This gives the attacker a valid session. Uber fell victim to this in 2022.
  • Solution: Enable number matching. You must type a code shown on your screen into your app. This stops blind approvals.
  1. Adversary-in-the-Middle (AiTM) An attacker sets up a fake login page. When you log in, the proxy sends your details to the real site. The real site sends a 2FA challenge. The proxy relays that challenge to you. You enter your code. The proxy steals your session cookie. The attacker now owns your account.
  • Solution: Use passkeys or hardware security keys. These use cryptography tied to the real website domain. A proxy cannot trick them.
  1. SIM Swapping An attacker calls your mobile carrier. They pretend to be you and move your number to their SIM card. Now, every SMS code goes to them.
  • Solution: Stop using SMS for anything important. Use authenticator apps like Google Authenticator or Authy. These generate codes on your device and cannot be intercepted via SIM swaps.

Security Method Comparison:

• SMS OTP: Stops credential stuffing only. • Authenticator App: Stops credential stuffing and SIM swaps. • Standard Push: Stops credential stuffing and SIM swaps. • Push with Number Matching: Stops credential stuffing, push bombing, and SIM swaps. • Hardware Key / Passkey: Stops everything.

Phishing-resistant MFA is the goal. Hardware keys and passkeys prove you are at the real website. There is no code to steal.

Take these steps to secure your accounts:

  • This week: Remove SMS 2FA from financial accounts. Switch to an authenticator app.
  • This month: Enable number matching on your push apps.
  • When ready: Buy a hardware key for your email and password manager.

Do not use 2019 security for 2025 threats.

Full breakdown with real breach examples: https://lucas8.com/mfa-fatigue-attack-two-factor-bypass