Pagoda Blog

The Vulnerabilities of Multi-Factor Authentication and Which Form Is Most Secure

August 18, 2022


Two-factor authentication (2FA) and multi-factor authentication (MFA) are both ways to add a layer of security to your account access. Rather than just relying on a password to log in, MFA requires one or more extra steps. Typically MFA requires a combination of the following: 


- Something you know (password)

- Something you have (authenticator token, smartphone or other device)

- Something you are (facial or fingerprint recognition) 


There are multiple forms of MFA and while the use of any one of them will make your accounts more secure than only using a password, some versions are more secure than others. Let’s review how MFA works, the different forms of MFA, and the vulnerabilities of each. 


‘Something you have’ forms of MFA

You’re probably familiar with some form of ‘something you have’ MFA. This form includes sending a code via email/SMS, an authenticator app, a hardware authenticator, or a push notification. 


Single-use codes via email/SMS

Using email/SMS as part of your MFA method, involves entering a code sent to your email or via text after you enter your password. This is perhaps the most common and familiar form of MFA. It's important to note here that while this form of MFA is arguably the least secure, it's often the preferred option because it's easiest to implement across an entire team. Any form of MFA offers better security than none at all, so if this form works best for your team, then we still recommend it. Now let's review some of the key vulnerabilities of single-use codes sent via email or SMS. 


While this form of MFA does require one extra step to gain access, making it more secure than just a password, our emails aren’t typically the most secure accounts. The primary problem is that people often remain logged into their email accounts. This means that if someone were to gain access to the network, they could easily view all received messages in the email account (or most likely accounts plural) on that network, uncovering the required code. 


A 2019 Google/Harris Poll  also revealed that nearly two-thirds of those surveyed reuse the same password across multiple accounts. This statistic makes using email for MFA highly vulnerable to hackers, especially if you happen to use the same password for email and the account utilizing MFA. When you use a password to login to your email, this also makes the single-use code more of ‘something you know’ than ‘something you have.’ (This is a strong argument for always following the latest password best practices.) You should always use a combination of two different forms of authentication for optimal security. 


SMS or text-based MFA can also be hacked through a practice called SIM swapping. This is where a cybercriminal takes over a phone number, allowing the single-use code to be sent to another phone. 


Lastly, MFA that relies on the use of codes is inherently susceptible to social engineering. Unless your entire team is exceptionally adept at spotting phishing and social engineering attacks, they could unknowingly share the code with an unauthorized party. To mitigate this risk, make sure your entire team receives regular cybersecurity training


Authenticator app 

An authenticator app also uses a single-use code but with this form of MFA, the code is sent to a secure app. The benefit of this method is that the code isn’t transmitted between the server and the client. The downside is that these apps are not immune to malware attacks. It also still requires a code which is susceptible to social engineering.     


Push notification 

A push notification works like this: You type in your password and then a notification is “pushed” to your smartphone. It pops up on your screen, prompting you to accept it in order to authenticate access to the account. This is very convenient but also highly vulnerable to push attacks. Push attacks occur when a cybercriminal already has the username and password to an account. (Unfortunately, gaining access to your username and password may be easier than you think with 15 billion stolen credentials available on the dark web.) They then send multiple push notifications hoping to eventually force the user to click accept  in an effort to make the flood of notifications stop.  


Hardware authenticator or token 

Hardware authentication utilizes a physical token that must be connected to your device to gain access to an account. The tokens often also require the use of a PIN before granting access. This form of MFA is highly secure as it requires a separate device that is far less susceptible to malware than a Wi-Fi-connected device, like your smartphone. The primary downside to this approach is that should you lose the authenticator, regaining access to an account can be a tedious process. 


‘Something you are’ forms of MFA

MFA that utilizes ‘something you are’ to validate your credentials relies on the technology of biometrics. 



Biometrics uses physical characteristics, most commonly your face, fingerprint, retina, or voice to identify an individual. Biometrics has been growing in popularity because it’s both convenient and secure. You can’t forget or lose your face or fingerprint nor can it be stolen like a token or other physical device. The field of biometrics isn’t yet a perfect science, however, and the technology isn’t foolproof. Photos downloaded off the internet can be used to reconstruct a 3D model of your face that is realistic enough to trick facial recognition scanners. Fingerprints can also be cloned, but even with these vulnerabilities, biometrics still proves to be one of the more secure MFA options.


Passwordless authentication: something you are + something you have

Perhaps the most secure approach to MFA is doing away with a password or single-use code altogether. This approach is referred to as passwordless authentication and works by only using a combination of something you are and something you have. Phishing and social engineering attacks rely on tricking the target into revealing something they know, such as a password, single-use code, or a security question. By completely eliminating the need for something you know, you also reduce the risk of these types of attacks.  


Which form of MFA is most secure? 

To recap, using a combination of something you are (biometrics) and something you have (preferably a form of authentication hardware) is the more secure form of MFA. Passwords are too often weak and reused across multiple accounts to be reliably secure and single-use codes are too vulnerable to interception. If you prefer to use these forms of MFA, make sure that you have a strong password policy in place and that all your employees receive regular cybersecurity training. Updating the security on all your accounts to utilize MFA, especially passwordless authentication, can dramatically decrease your risk of a data breach or cyberattack.  


Feature Photo by on Unsplash

Read more posts like this: 

6 Password Best Practices to Implement Right Now

Why Most Successful Businesses Have a Cyber Resiliency Mindset

The 5 Key Components of a Multi-Layered Security Strategy  

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing



Want IT to serve you better?




About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.

Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn