Multifactor Authentication (MFA): Only as strong as the weakest link in the chain

In this article we are discussing multifactor authentication. The different kinds will be explained (knowledge, possesion, biometric and inherence), as well as some examples of possible attacks.

Reading time:
6 min
Multifactor Authentication (MFA): Only as strong as the weakest link in the chain Image by gstudioimagen on Freepik

Multifactor authentication (MFA) is a method of increasing the security of online services that uses multiple factors to verify a user’s identity. There are three basic factors used in authentication: knowledge, possession and biometrics.

Knowledge-Based Procedure

The knowledge-based method verifies what the user knows. An example of this type of multi-factor authentication is the use of so-called “Knowledge-Based Authentication” (KBA) questions. Here, the user must answer a series of personal questions during registration, the answers to which only he or she should know. Each time the user logs in, a random question is then asked, which the user must answer correctly in order to authenticate himself or herself. Classic and widespread is the use of passwords or PINs. These methods are widely used by many online services because it is simple to implement and easy for users to understand. The verified factor is the user’s knowledge, which of course must be shared with the service beforehand.

Possession-Based Methods

Another method is the possession-based method, where the user owns a physical object that is used for authentication. This includes, for example, USB keys, smart cards or tokens that generate a so-called one-time password (OTP). The verified factor in this case is the possession of the object, evidenced by the individually calculated OTP. Since the token is physically owned by the user, this provides an additional layer of protection compared to knowledge-based methods, as the attacker would also have to steal the token in order to successfully authenticate.

Biometric Methods

Biometrics refers to physical characteristics of the user that can be technically measured to confirm their identity. Typical examples of biometrics include fingerprints, facial recognition, iris scans and voice recognition. In MFA, biometrics can usually be used as the first factor, as they offer a relatively high level of security and are difficult to forge. However, biometrics can be compromised and falsified, especially if they are stored unencrypted or if they are a static characteristic that cannot be easily changed by the user. Therefore, when biometrics are used as a factor alone, there may well be a higher risk of a successful attack.


Inherence refers to features that are usually not static like biometric features, but can be influenced or changed by the user, consciously or unconsciously. An example is the typing behaviour on a computer keyboard, where the pattern of keystrokes on the keyboard is analysed to confirm identity. Another example is the user’s behaviour on the computer or the Internet, such as preferred browsers and devices or regular locations. When inherence is used as a factor in MFA, it is often used as a second or third factor, as inherence is usually less secure than biometrics.

The basic idea of MFA is to combine several of these factors. Very well known is the so-called two-factor authentication (2FA), which combines a knowledge-based and possession-based procedure. Specifically, a password is usually used as the first factor, while an OTP serves as the second factor. Another method, although less common, is three-factor authentication, which combines both knowledge-based, possession-based and biometric-based methods. Many MFA methods in online services are implemented according to the aforementioned 2FA variant and use the knowledge-based method as the first factor and resort to the use of passwords, as this is easy to implement and easier for users to use than, for example, individual security questions. This is regularly combined with OTPs sent to the user via SMS. However, this method is vulnerable to attacks such as SIM-swapping, but still provides a higher level of protection than password-based authentication alone.

SIM-swapping Attacks

SIM-swapping attacks are a form of social engineering attack in which attackers attempt to gain control of the victim’s mobile phone number by defrauding the victim’s mobile phone provider. The attack is usually carried out by the attacker calling the mobile phone provider and pretending to be the victim. The attacker pretends that they have lost their phone or that their phone has been damaged and they need a new SIM card. The mobile phone provider can then transfer the victim’s phone number to the new SIM card that the attacker already possesses. The prerequisite for this attack is that the attacker knows the password used by the victim. With this, the attacker starts the authentication and then waits for the request to check the second factor, which is to be sent to the victim’s phone via SMS. If the SMS is sent to the victim’s phone number, however, the attacker now receives it on his own phone, since he has control over the victim’s phone number. The attacker enters the OTP and thus gains access to the victim’s user account. SIM-swapping attacks are a growing problem and many mobile operators have started to implement additional security measures to prevent this type of attack. However, it is still important that users of online services are vigilant and take appropriate

OTP Token Phishing

OTP token phishing via SMS is a specific type of attack in which attackers attempt to steal one-time passwords (OTP) from users received via SMS. As with other types of phishing attacks, attackers often use fake login pages or messages to trick users into entering their credentials, including their username and password as well as their OTP. To carry out an OTP token phishing attack via SMS, attackers can install a malicious app on the victim’s smartphone that is capable of reading and forwarding SMS messages. The app can then of course also intercept the OTP messages sent to the user by the online services and send them to the attacker. Alternatively, attackers can send fake SMS messages to the user pretending to be from a legitimate service and prompting them to enter the OTP into a malicious app or fake login page. To protect themselves from OTP token phishing attacks via SMS, users should ensure that they only download and install legitimate apps from trusted sources. They should also be cautious about opening messages from unknown senders or clicking on links in suspicious messages. Additionally, users can use alternative second factors for authentication that are not based on SMS, such as OTP apps or hardware tokens that generate corresponding OTPs. These methods are generally more secure than SMS-based OTPs and offer a slightly higher level of protection against phishing attacks.

The possibilities of SIM-swapping and OTP phishing attacks show that it is important to note that MFA as a concept alone is not enough to secure an account. All factors used must also be permanently protected and checked for security to prevent attacks. If passwords are part of the process used, it is important to choose them securely and uniquely. A unique and secure password provides additional protection against attacks on the authentication factor of the password itself, such as brute force or credential stuffing attacks. Overall, MFA can be a useful tool for improving the security of online services, but it is important that the various factors used in an MFA process are also sufficiently secure.

The title of the image is 'Multi-Factor Authentication'. There is a lock in the middle. At the top left is the 'Knowledge' category with the keywords 'Passwords, Security Questions and One-Time Password'. Below that is the 'Possessions' category, with 'Tokens, Security Keys and One-Time Password'. On the top right is '“Biometrics' listed, with 'Fingerprint, Voice and Face Recognition'. Finally on the bottom right is 'Inherence' with the keyword 'Time, Location and Device'.

Contact an Expert

Do you have any further questions or need specific help? Write us a message or arrange a meeting directly.

Show more

Get to the blog