Hackers attempt to log in to our online accounts daily by the hundreds.
The extra protection layer provided by MFA to the sign-in process dramatically reduces the number of successful attacks. While we are relieved that MFA is doing a good job of keeping our online accounts safe, we need to continue to advise our users to be vigilant – check before you click.
Not all MFA factors are created equal. Some are stronger than others. Hardware keys like Yubikey are the most phishing-resistant authentication factors. To begin with, they don’t store any session cookies and require the user to press a physical button on the physical key to complete authentication.
There are methods for bypassing MFA (e.g., SMS-based man-in-the-middle (SIM swaps are very easy to do), attacks on soft tokens, passing the cookie). For example, here is an article about an active phishing campaign underway [*] that uses Teamviewer and fake support chat to bypass MFA.