Multi-Factor Authentication: Does it really work?

Multi-Factor Authentication: Does it really work?

Over the last couple of years, we have all held strong, the belief that Multi-factor Authentication (MFA) is the ultimate cybersecurity tool. We believed—and some of us still do—that it was the gold mine of cybersecurity best practices.

But were we wrong to do so?

Multi-Factor Authentication

In 2019, Microsoft released a report that explained how assets are 99.9% safer when the host website, app, or company uses MFA.

Also, Google, published a research in 2019 which states that using 2FA can “block 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks”.

These studies and more are among the many reasons why companies have religiously devoted to Multi-Factor Authentication taking it as the number one source of protection from cyberattacks.

However, these companies’ faith is being tested. Google, in a recent blog post, shared that 50% of devices from the 150 million which used MFA are protected from cyberattacks. This also means that 50% are exposed. Hence, the gospel of optimal cybersecurity from MFA is slowly being debunked.


Here are the top three ways attackers are bypassing MFA:

  • SMS Interception: Companies that primarily use 2SV which requires the user to receive a text message are most prone to attack. This is because the attacker can—and will—easily intercept the user’s messages and just like that, they’re in.
  • Changing IP configuration: Attackers can remove or temporarily disable the authentication option from a company’s site by altering the usual IP configurations. This gives the attacker room to access data without MFA restrictions
  • Using the automated login session: The attacker may gain access to an MFA-protected account by logging in after the actual user has completed the MFA requirements.


Yes. Despite the Google article and reports of attackers bypassing MFA, the White House recently signed an executive order to make MFA mandatory for all government agencies. This was done in an attempt to further protect the nation’s data. So, if the government trusts MFA—you should too.

Nonetheless, here are some extra tips you should follow to improve your cybersecurity even with MFA.

  • Add an extra layer of security; don’t stop at SMS verification
  • Cybersecurity experts should frequently check your website’s security
  • Educate your user on proper password management
  • Stay up-to-date on the latest improvements in the cyber space.


MFA came as a source of protection from brute force, phishing, and other forms of cyber attacks. However, companies are fast realizing that MFA may, after all, not be infallible. Hackers —as expected— have come up with new methods of bypassing the protection it offers. However, by simply following cybersecurity best practices, companies can once again find peace.

Farouk Ahmed
Latest posts by Farouk Ahmed (see all)

About Author


Leave a Reply

Your email address will not be published. Required fields are marked *