Multi-Factor Authentication (MFA)
MFA adds a second lock to your accounts. Even if someone steals your password, they still cannot get in because they also need something else: a code from your phone, a fingerprint scan, or a physical security key. It is like a bank vault that requires both a combination and a physical key to open. Turning on MFA is the single most impactful thing you can do to protect your accounts.
Multi-Factor Authentication (MFA) requires users to provide two or more independent verification factors from different categories to authenticate. Two-factor authentication (2FA) is a subset requiring exactly two factors.
Authentication factor categories:
| Factor | Category | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, security questions |
| Something you have | Possession | Phone (TOTP app), hardware key (YubiKey), smart card |
| Something you are | Inherence | Fingerprint, face recognition, iris scan |
MFA methods (ordered by security):
- FIDO2/WebAuthn hardware keys (YubiKey, Titan): phishing-resistant, cryptographic proof of possession. The strongest MFA method. Cannot be phished because the key binds to the legitimate domain.
- Passkeys: FIDO2 credentials stored on a device or password manager. Phishing-resistant.
- TOTP (Time-based One-Time Password): apps like Google Authenticator, Authy, 1Password generate 6-digit codes that rotate every 30 seconds. Shared secret stored on device.
- Push notifications: approve/deny prompt on a registered device (Duo, Microsoft Authenticator). Vulnerable to “MFA fatigue” attacks (spamming until user approves).
- SMS codes: one-time code sent via text message. Weakest method: vulnerable to SIM swapping, SS7 interception, and social engineering of carrier support. Better than no MFA, but avoid for high-value accounts.
MFA bypass attacks:
- Adversary-in-the-Middle (AiTM): real-time phishing proxy captures both password and MFA token, replaying them to the real service (EvilGinx, Modlishka)
- MFA fatigue/bombing: repeatedly trigger push notifications until the user approves
- SIM swapping: attacker convinces the carrier to transfer the victim’s phone number
- Session hijacking: steal the authenticated session cookie after MFA is completed
FIDO2/WebAuthn is resistant to all of these except session hijacking.
Implementing TOTP MFA
# Generate a TOTP secret (server-side)
$ python3 -c "import pyotp; print(pyotp.random_base32())"
JBSWY3DPEHPK3PXP
# Generate QR code for authenticator app
$ python3 -c "
import pyotp, qrcode
totp = pyotp.TOTP('JBSWY3DPEHPK3PXP')
uri = totp.provisioning_uri(name='mokey@bytesnation.com', issuer_name='BytesNation')
qrcode.make(uri).save('mfa_qr.png')
print(f'Current code: {totp.now()}')
"
# Verify a TOTP code (server-side)
$ python3 -c "
import pyotp
totp = pyotp.TOTP('JBSWY3DPEHPK3PXP')
print(totp.verify('123456')) # True if code matches current window
"
# Set up SSH with TOTP (Google Authenticator PAM module)
# /etc/pam.d/sshd
auth required pam_google_authenticator.so
# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveMFA is the most effective control against credential-based attacks. Microsoft reports that MFA blocks 99.9% of automated attacks. The 2024 Snowflake breaches (affecting Ticketmaster and AT&T) specifically targeted accounts without MFA enabled. Most compliance frameworks (PCI-DSS, SOC 2, HIPAA, NIST 800-63) require MFA for administrative and remote access. Enterprise deployments typically use identity providers (Okta, Azure AD, Google Workspace) with conditional access policies: require MFA for all logins, or only for risky scenarios (new device, unusual location). For personal security, enabling MFA on email, banking, and cloud accounts with a TOTP app or hardware key is the highest-impact step. Password managers (1Password, Bitwarden) now integrate TOTP generation, centralizing both passwords and second factors.