Why MFA isn’t enough to protect you

Person using a mobile device with padlock symbol overlaid
(Image credit: Pixabay)

For years we've seen security professionals urging developers to secure their applications by implementing Multi-Factor Authentication (MFA) as an extra layer of cybersecurity beyond passwords. But, unfortunately, this has proven to not be enough. According to a study conducted by Sift, account takeover fraud grew by 250% in 2020, despite the addition of MFA.

About the author

André Ferraz is the founder and CEO of Incognia.

Fraudsters have learned quickly how to bypass the most popular MFA methods such as one-time passwords (OTPs), facial recognition and others. In this article, we will discuss the issues related to OTPs and facial recognition as some of the most popular and effective forms of MFA.

The problem with OTPs

The main security issue is that phishing and social engineering attacks, which are the main cause of identity fraud, can lead users to give away their one-time passwords to fraudsters. Fraudsters are able to gain customers’ trust over email, phone, or social media, convincing them to provide their credentials.

Another security issue is that OTPs can be easily intercepted. Fraudsters have learned quickly how to bypass the most popular OTP methods. For example, SMS can be intercepted at scale and the phone number also can be compromised with a SIM swap attack. Consumer emails are also easily compromised, making it not the most secure channel. For example, in 2018 it was revealed that only 10% of users adopted the option of two-factor authentication (2FA) on Gmail.

Another major problem with OTPs is that they create too much friction for the user, impacting the user experience. Arguably, it adds more friction than normal passwords. This added friction ends up leading to customer dropoff and lower retention rates. A recent study showed that less than 2.5% of Twitter users activate OTPs, clearly demonstrating that users chose convenience over security.

The problem with facial recognition

With the introduction in 2017 of the Face ID feature, Apple brought face recognition technology to the forefront for many people. Facial recognition today is commonly used to unlock phones and authenticate users to online services. However, it has also become a target for fraudsters. A person's face is static data, which means it can never be changed. Once this data is in possession of bad actors, the owner of that data would never be safe using that as proof of identity ever again.

Fraudsters are using data from many sources, including social media, to fool facial recognition systems. More sophisticated attacks are also being developed. A recent paper published by researchers from Israel discusses the development of a neural network capable of generating ‘master’ faces – facial images that are each capable of impersonating multiple IDs. The work suggests that it’s possible to generate such ‘master keys’ for more than 40% of the population using only nine faces synthesized by the StyleGAN Generative Adversarial Network (GAN), via three leading face recognition systems.

How to enhance security in your authentication flow?

Balancing security and user experience is no easy task, but the good news is that there is a lot of innovation in the security industry. In recent years, new technologies have been developed to address the UX vs. security dilemma. They do this by providing passive authentication techniques that work silently in the background.

An example is device fingerprinting technology that can silently recognize devices based on their unique attributes and determine if they should be trusted. Most apps and websites already employ this technology. Additionally, another type of passive authentication method was introduced, called behavioral biometrics. Behavioral biometrics identifies authorized users based on their gestures with the mouse or touchscreen, how they type, and how they hold their phone. Unfortunately, most behavioral biometrics solutions require time to train and achieve high performance, and the integration process can be complex.

Most recently, with the growing relevance of mobile as the main online channel, location behavior data from on-device sensors is now being leveraged to identify when a user is accessing or transacting from a trusted location. In a recent study conducted by Incognia, it was found that 90% of the legitimate logins and 95% of the legitimate high-risk transactions happen from a trusted location, which is a place that is part of the user’s regular routine such as their home, office or favorite restaurant. The greatest advantage of leveraging location behavior is that it is highly effective at assessing risk, with a failure rate of 1 in 100,000,000 transactions, and it doesn't require any user action, delivering the best possible user experience.

There is no silver bullet in the security space, so developers should go for a layered approach. Ideally, apps would leverage passive authentication for the vast majority of low-risk scenarios and introduce the friction of MFA only when high-risk is identified. That way, apps can provide a frictionless authentication experience to legitimate customers but keep the fraudsters away.

André Ferraz is the founder and CEO of Incognia. Incognia is a private identity company that enables advanced mobile fraud prevention for banks, fintech and mcommerce companies.

Read more
Security padlock in circuit board, digital encryption concept
MFA alone won’t protect you in 2025: the new cybersecurity imperative
Representational image of a shrouded hacker.
Getting to grips with Adversary-in-the-Middle threats
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
Hands typing on a keyboard surrounded by security icons
Outdated ID verification myths put businesses at risk
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Person using finger print authentication
Passwords out, passkeys in: The future of secure authentication
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Google Pixel Watch 3 side dial and button
Google Gemini reportedly spotted on Wear OS – could a rollout be close at hand?
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think