Is 2FA or MFA still worthy in 2022?

I wrote about passwordless ways to authenticate in this post. These days, relying exclusively on passwords seems risky.

Passwordless authentication is probably the future, but in the meantime, 2FA (two-factor) and MFA (multi-factor) help A LOT. You should enable it whenever you can.

Nothing is bulletproof, though, and we’ll see why in this post.


2FA adds an extra layer of authentication. Users still have to enter the right combination of their username and password. Otherwise, they won’t even access the second step.

This extra step can involve various techniques such as:

  • one-time passcodes by SMS or phone call
  • 2nd password
  • PIN code
  • one-time passcodes with a mobile application (e.g., Google Authenticator)
  • fingerprint
  • iris recognition
  • voice recognition
  • tokens

Why SMS codes are weak

One-time SMS passcodes are probably the weakest technique. Hackers may use classic spoofing or more sophisticated phishing, for example, to install malware and intercept these communications. SMS are plain text messages. Whoever gets it can read it.

SIM Swapping or SIMjacking has also become a popular technique. Hackers use social engineering to impersonate their victims and get another SIM card attached to the targeted phone line. Once it’s done, the hack can be painful for the victim, allowing the attacker to access critical services such as bank accounts, personal emails, and many other services.

One-time passcodes (OTP) can be brute-forced

A more robust approach uses a dedicated application to generate one-time passcodes. You scan a QR code with your mobile device or manually enter some code to link your online account with a mobile app such as Google Authenticator or Lastpass.

Whenever you need to log in to your online account, you have to open the mobile application to get a new series of numbers to validate the extra step during the authentication. This technique relies on a trusted device to hold the authentication factor and increase security.

However, 2FA can be brute-forced if the process does not limit the number of bad attempts. In this very unfortunate case, it’s like hacking a very weak password.

For example, let’s say that you end up with 1,000,000 possible combinations with six digits. Any PC processor can quickly achieve such a task in seconds.

TOTP behind the scene

Behind the scene, the Time-based One-time Password algorithm (TOTP) uses the current time to generate unique Passwords. It does not mean attackers cannot grab those codes if, for example, they manage to steal the secret key used to create TOTP values.

The seed (secret key) is the only thing the user’s device and the server have in common. This static parameter and the current time are combined to generate OTP and validate the authentication.

However, the current time is calculated with UNIX time (the number of seconds that have elapsed since January 1st, 1970, 00:00:00 UTC) divided by a discrepancy of 30 or 60 seconds.

You can use no network connection to synchronize times on the server and the device. Otherwise, it would be prone to more attacks. The problem is that the synchronization window tends to increase over time, so, theoretically, at some point (a couple of years on average), the server and the device will generate different values.

There are now ways to adjust times and resync, but hackers have successfully used this short window to defeat 2FA protection in the past.

Understanding the limits of technology

Technically speaking, fingerprints, voice, and iris recognition are pretty exciting. However, biological signatures are unique by definition, so if someone manages to steal such information, it’s literally game over as it cannot be renewed.

Many websites, including public services, now require and store that precious information, and because massive data breaches happen, this scenario is far from impossible.

Besides, to prevent users from locking themselves out, websites and apps have to provide a fallback, often 1FA (classic username/password combination).

Likewise, not everybody considers dedicated hardware such as USB keys as the best approach. Some even say it’s fundamentally broken as it often carries malware. Indeed, USB is a classic vector used to compromise devices and networks because USB ports are pretty sensitive areas with direct access to the computer.

Any infection can spread from computer to USB and vice versa.

Wrap up

Please don’t get me wrong with this post. While 2FA and MFA can be hacked, and some techniques such as one-time SMS passcodes seem obsolete in 2022, you should enable it whenever you can. You still have an excellent chance to discourage most script kiddies. It’s better than 1FA alone.

Most apps provide 2FA or MFA now but as an optional security feature in advanced settings. IMHO, it should be enabled by default everywhere as a required step during the account setup.

See Also