Multi-factor authentication is viewed as a secure way to verify a person’s identity before giving them access to a system. But is it really? At ISC2 Security Congress 2025, Niclas Kjellin demonstrated how the weakest link in the security chain allows easy access to savvy threat actors.
One of the perceived challenges with multi-factor authentication (MFA) is that it adds more steps to the login process to ensure that a user is who they claim to be. But many see these steps as tiresome and annoying, breezing through the process as quickly as they can, if they even choose to continue logging in. The obstacles that MFA put in our way to authenticate our identity are the very thing that threat actors exploit to attack the weakest link in the cybersecurity chain: ourselves.
MFA Works…Sometimes
For Breaking the Next Factor: Live Multi-factor Hacking at ISC2 Security Congress in Nashville, speaker Niclas Kjellin, Cybersecurity Specialist and Researcher at Shift Everywhere, began by citing statistics from zippia.com on the effectiveness of MFA. He noted that it stops an impressive 99% of cyberattacks, 96% of phishing attempts, and 76% of targeted attacks.
However, it only works when it’s actually used. Kjellin highlighted statistics showing how frustrated people can be with MFA, to the point of abandoning accounts when forced to set it up, or attempting to bypass it altogether. He recalled hearing about someone who requested a security token be redesigned with a timeout of “forever”, so they’d only have to deal with MFA once.
Even when MFA is set up correctly, human error often allows threat actors to access sensitive data. Additionally, the statistics on MFA’s effectiveness don’t account for attacks targeting MFA itself.
Social Engineering Works Frighteningly Well
In the cybersecurity sense, social engineering is tricking people into giving up sensitive information or providing systems access. Kjellin provided a striking example of social engineering at work.
One common MFA method is SMS OTP, where a one-time password is texted to a user to verify their identity. If mobile phones were truly accessible only by their owners, it would work well, but Kjellin showed a clip demonstrating how easily a threat actor can both spoof a phone number to receive the OTP and convince a customer service representative to change the account password, effectively transferring ownership. This was just a demonstration, but it’s easy to imagine how damaging this could be in real life.
Often, threat actors prey on fear. Kjellin showed an image of a realistic warning popup indicating that viruses had been found on a computer, offering a choice between two buttons: “Ignore the risks (dangerous)” and “Protect your data.” Clicking on the seemingly obvious choice could actually give threat actors access, install malware or result in other negative consequences.
Then there’s MFA fatigue, where the threat actor bombards a user with multiple MFA requests they didn’t initiate. After a while, people just want it to stop, so they often accept the request to make the message go away. This type of attack led to the 2022 Uber breach. The person responsible wrote, “(I was spamming employee with push auth for over an hour) I then contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it.”
A Live MFA Attack
For the demonstration, Kjellin chose a fictitious DevOp at “Rock Paper Security” as his victim. “DevOps guys are really good to hack because they have access to everything,” he explained.
By visiting the DevOp’s LinkedIn profile, he was able to guess the work email address from a coworker’s address. He executed a man-in-the-middle attack using hacker tools (which he strongly advised against downloading on company equipment) to develop a realistic looking warning email, purportedly from Microsoft, and a spoofed Microsoft website that used the company’s branding, making it virtually indistinguishable from the real thing except for the slightly unusual URL.
Kjellin showed previously captured screenshots that demonstrated how easily the DevOp was compelled to enter his credentials on the fake website, giving the attacker high-level access to Rock Paper Security.
The scariest part? Bad actors can set up scripts to run these attacks automatically. By the time you realize you’ve been compromised, it’s often already too late.
How to Avoid Being Victimized
“Between you and me, your passwords aren’t very good. Please change them,” Kjellin quipped.
What else can we do to make MFA a more effective tool and reduce instances of social engineering? Kjellin offered this list:
- Use MFA for more than just login authentication, it might be better used to enable the execution of operations
- Supplement MFA with continual system monitoring for signs of MFA fatigue attacks and other types of workarounds
- Educate users on the common types of MFA attacks so they know how to avoid being victimized
- Always use MFA when available
- Don’t get lazy with passwords
- Don’t talk to strange domains; verify those URLs!
- Use password managers
- Close sessions when done. Malicious users can only attack them while they’re open
Closing Thoughts
This session was a reminder that many will avoid using MFA because of the perceived inconvenience, leaving them vulnerable to being compromised. Human nature—our desire to help others, our fears, our compliance with what seem like official directives—allows threat actors to bypass even the most sophisticated security systems. Through continual vigilance, education and awareness, we can reduce the risks of cyberattacks.
