Why mobile-based MFA is not phishing resistant

The need for phishing-resistant MFA has become more apparent in recent times. Some experts estimate that as of 2020, spear phishing is linked to upwards of 95 percent of all successful attacks against organizational networks in both the private and public sectors. 2021 also saw some of the largest security breaches ever, including the Colonial Pipeline and SolarWinds hacks. In an attempt to address the growing threat, the White House released its cybersecurity executive order and Zero Trust Strategy with the Office of Management and Budget (OMB), mandating US federal agencies to use only multi-factor authentication (MFA) that can resist phishing attacks by the end of 2024. Today’s hackers increasingly hijack phishable one-time use codes and push notifications during the brief window when they are valid, and the attack and account takeover is all but invisible for the user.

With the recent spike in spear phishing using these methods, we decided to build on our previous work and show what it’s like to be phished with these modern techniques when using several types of basic multi-factor authentication.

If some of these terms are unfamiliar, don’t worry, we will go over them in this video.

Acknowledgements

These links have the details of the recent attacks. Krebs’ article in particular shows screenshots of some of the phishing pages used against several targets. Twitter was even quite open and posted publicly about their related security incident.

A different set of similar attacks happened over the last few years and are very serious. Amnesty International has three in-depth articles which detail phishing techniques used by seemingly politically motivated attackers against human rights defenders, journalists, and civil society organizations in the Middle East, Egypt, and Northern Africa during 2018 and 2019. This is a clear example of how attackers know their victims, and will use things they care about (security) to try and trick them.

Also not covered here are attacks on SMS based authentication where the phone network is leveraged via backbone connections or sim swaps to intercept the code that the victim was supposed to get. Read below to learn more about this:

The way I was able to make fairly clean phishing pages over the course of roughly a day was by using the open source phishing framework called Evilginx2 by Kuba Gretzky and hacking in some tweaks and javascript. If you’re interested in the details of how these attacks are done under the hood, or want to see some other great examples against other services, please see Kuba’s fantastic talk here.

Talk to our teamTalk to our team

Share this article:


  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions
  • Cybersecurity in 2025: Insights and predictions from Yubico’s expertsWith 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the […]Read moreAIdigital identity walletspasskeyspredictions
  • State of Global Authentic(age)ion: A look at cybersecurity habits by generationsNo generations were left untouched when it came to the threat of hackers in 2024: from the impact of political shakeups, to increasingly sophisticated cyber attacks targeting consumers, critical industries and infrastructures, the world was on high alert. Fueled by a dramatic increase in phishing attacks circumventing certain forms of legacy multi-factor authentication (MFA), as […]Read moreState of Global Authenticationsurvey
  • Yubico named finalists of German digital identity innovation competitionIn 2023, Yubico began collaborating on an exciting open standards identity project – wwWallet – to shape the future of digital identity across Europe and beyond. The project saw immediate success solving problems for global identity, and was submitted in the German SPRIN-D European Digital Identity (EUDI) Funke competition which aims to develop and test […]Read moreEU Digital Identity WalletEUDIwwWalet