Unmasking the hidden risks of multi-factor authentication

When talking about boosting cyber security in an organisation, many leaders will highlight enforcing multi-factor authentication (MFA) as a solid first step. I, too, endorse the merits of using MFA in your business; it greatly reduces the chances of a threat actor gaining access to accounts via methods like brute force, phishing or repeated passwords.

However, while I highly recommend mandating MFA in your organisation, the leadership and entire team must understand that potential risks come with this solution. In this blog, I will highlight multi-factor authentication risks and how to mitigate these.

Vulnerabilities in multi-factor authentication

Email-based MFA relies on a user’s email already being secure. If a threat actor compromises the account through a phishing attack, they can easily access the MFA codes sent to the email. Similarly, text-based MFA poses its own challenges. Should a user’s phone be stolen or misplaced, an opportunistic actor may gain access to text messages containing MFA codes.

Threat actors may also use social engineering to compromise MFA. While some threat actors will target the system itself to breach MFA, others may deceive users into sharing MFA codes by posing as trusted entities—be it a bank representative, IT support person, or another trusted figure.

What are the strongest methods of multi-factor authentication?

Authentication apps and biometric devices (while not infallible) can mitigate the multi-factor authentication risks mentioned above.

Authentication apps generate time-sensitive codes, usually on a mobile device, eliminating the risk of a threat actor gaining access to codes through hacking an email or intercepting texts. Apps often include end-to-end encryption, ensuring that even if a threat actor intercepts data, it remains unintelligible to unauthorised parties.

Biometrics include any authentication that requires a fingerprint or face to verify someone’s identity. Many of us already use some form of biometric verification to unlock our phones or laptops, and some accounts, especially phone apps, offer these methods to secure accounts. While no method is completely infallible, biometrics come close by linking authentication to our unique features.

Best practices to reduce multi-factor authentication risks

Relying on a single MFA method can lead to vulnerabilities. Using different methods where available, like combining authentication apps and biometrics, reduces the risk of a single point of failure. Diverse methods ensure that even if a threat actor breaches one layer, others remain protected.

However, the best way to ensure MFA’s success is to educate your team on the risks and give them the tools to recognise phishing attempts. Regular training sessions and updates about the latest scams or tactics empower users to be the first line of defence and prevent them from being tricked into providing MFA codes or other sensitive information.


While MFA adds a layer of protection to your business, it is not infallible to threat actors’ tactics, such as social engineering to access codes or breach email accounts used for MFA. Encourage your team to use authenticator apps or biometrics over text and email-based MFA where possible. It is also best practice to educate your team on recognising phishing attempts that aim to bypass MFA.

Educate your team on MFA with our Cyber Escape Rooms

We designed our Cyber Escape Rooms to provide teams with the knowledge to recognise social engineering and multi-factor authentication risks. We provide your team with cyber security knowledge by using gamification techniques designed to engage everyone, whether they participate on-site or remotely. Please visit our Cyber Escape Rooms page for more information.

Related blogs

5 ways to prevent insider threats in your business

Practical strategies for mitigating the risks of Business Email Compromise

8 essential components of a solid cyber security education plan

Popular Posts