What Are the Risks of Multifactor Authentication?

Quick Answer

Multifactor authentication is still a secure method for protecting your account, but it’s not without risks. It’s wise to educate yourself about SIM swapping, man-in-the-middle attacks and other fraudulent activity and take steps to protect your personal information.

A woman sitting on rocks in the woods, using her phone.

Some things never change. For as long as private information has been stored on servers, hackers and security professionals have been playing a cat-and-mouse game over who has access to it.

You may not have heard of the term "multifactor authentication" (MFA), but you've surely used it when logging in to your accounts. This multi-step authentication process requires you to provide two or more pieces of information to verify your account, such as your password and a code that gets texted to you. MFA is considerably more secure than merely providing your password, which could be guessed or obtained through other means.

Still, hackers and scammers have methods to get around this extra layer of security. While MFA makes it harder for your personal information to be accessed without your permission, it's important to be aware of the remaining risks, including those listed below.

Social Engineering

Social engineering is a tactic hackers and fraudsters use to trick victims into divulging personal information, granting account access or transferring money. Attackers can use several methods to obtain information and build a profile about you. For example, you might overshare on social media and end up publicly divulging your mother's maiden name, the street you grew up on or the name of your high school. As you're likely aware, those are common authentication questions needed to verify your identity during the login process on some websites.

Phishing is another popular type of social engineering where a scammer poses as a trusted person or organization in an email to gain access to your login or even steal your identity. Similarly, fraudsters also use phone calls (vishing) and text messages (smishing) to deceive you into giving up your personal details.

The U.S. Department of Homeland Security recommends several security measures to protect yourself from social engineering attacks, including the following:

  • Don't give your personal information to anyone over email or phone.
  • Be wary of website URLs with spelling deviations or that use .net, .co or other domain extensions besides .com, .org or .gov.
  • Don't reply to emails or click links contained in them; contact the company directly instead.

SIM Swapping Scam

A SIM (subscriber identity module) is a small card in most cellphones that contains a small electronic chip that identifies you and connects your phone to the cellular network. If an attacker has your SIM card, they can use it to receive verification calls and texts. They can then impersonate you and gain access to your accounts.

Through SIM swapping, scammers can do exactly that by porting your phone number to a SIM card they control. Often, they can use personal information obtained through a data breach or social engineering to persuade a representative from your mobile carrier to facilitate the transfer. SIM swapping allows criminals to gain control of your phone to intercept verification codes and access your accounts.

One of the best ways to protect yourself from SIM swapping is to set up a security measure with your phone provider that must be fulfilled before they can port a phone number. For example, AT&T allows you to set up a PIN that must be entered to port your number. Similarly, T-Mobile offers account takeover protection that doesn't allow number transfers to anyone not on your authorized list.

Man-in-the-Middle (MITM) Attacks

The man-in-the-middle attack is when an attacker secretly hijacks a conversation or data transfer by inserting themselves undetectably in the middle. In this case, the cyber criminal impersonates both parties, allowing them to intercept private data such as your login information.

One common MITM method hackers use is "packet sniffer" software, which allows them to monitor data transfers between computers on a network and find insecure communications. If your connection isn't secure, a hacker could hijack your session, snatch your username and password when you log in to a site, and then redirect you to a fake site that looks identical to the actual one. This fake site could then capture the data you enter, including your authentication information. In an instant, the attacker could use your private information to access the real site and gain access to your account.

Limit your exposure to MITM attacks by protecting your Wi-Fi connection and home router with a strong password and using a virtual private network (VPN). Remember, VPNs encrypt your online activity, making it virtually impossible for eavesdroppers to interact with you. Additionally, you can better protect your computer from malicious programs and viruses by using strong antivirus software.

Biometric Vulnerabilities

Biometrics, including fingerprints and facial recognition, are one of the most robust forms of authentication due to their accuracy and difficulty in hacking. But that doesn't mean they are foolproof, as it's possible for hackers to steal your unique physical traits.

For example, criminals can place a skimmer device on an ATM or another machine that scans fingerprints. The skimmer steals your prints from the finger scan and then creates a fake fingerprint to access the machine or other accounts requiring your fingerprints. Keep in mind, forgeries don't have to be 100% accurate as most scanners permit some variations to account for cuts, sweaty fingers or other slight changes to your fingerprint.

Security professionals suggest using biometrics as a secondary form of authentication after your password, which must be strong. Use at least 12 characters, but the longer, the better. Don't use common words or phrases; include a mix of upper case, lowercase and unique characters.

Additional Ways to Protect Yourself From Fraudsters

Multifactor authentication provides a strong defense against those aiming to compromise your accounts. But it still pays to be safe by using additional methods to protect your data:

  • Use a password manager. Password managers make it easy to store all of your passwords in one place. They also create strong passwords according to the requirements of the sites you use and encrypt them. Typically, all you have to do is remember the master password and most password managers will even enter your account information for you.
  • Use FIDO authentication. For your most important accounts, update your authentication method to a Fast Identity Online (FIDO) method if it's available. FIDO is a form of multifactor that allows for logins without passwords. You'll register your computer or device using secure passkeys that resist phishing techniques. FIDO authentication is a good option if you're looking for a non-SMS authentication method.
  • Don't give out personal information online. Criminals using social engineering and other tactics can use your personal data to access your accounts, change your account settings or even open a new loan in your name. Guard your personal information like a fortress to minimize your vulnerability to attacks and identity theft.
  • Beware of MFA fatigue attacks. Fraudsters can often buy your personal data, including your passwords, on the dark web. Armed with your password, attackers may bomb you with push MFA authentication requests. The goal is to get you to accept the notification so they can gain access to the account. These attacks often result in a malware attack to control your data while the fraudster demands a ransom payment.

The Bottom Line

Multifactor authentication is an effective way to protect your accounts from hackers and fraudsters. However, you should still take precautions to mitigate multifactor authentication risks. While you're taking steps to secure your accounts, consider performing a free privacy scan to discover how much of your information is already online and learn how to better control your data.