How Modern Phishing Defeats Basic Multi-Factor Authentication

September 30, 2020 3 minute read

Two years ago, at the internet security conference Black Hat US, the Yubico team was invited to speak about how advanced phishing works and how FIDO authentication standards and YubiKeys can help mitigate these attacks.

Today’s hackers increasingly hijack one-time use codes and push notifications during the brief window when they are valid, and the attack and account takeover is all but invisible for the user.

With the recent spike in spear phishing using these methods, we decided to build on our previous work and show what it’s like to be phished with these modern techniques when using several types of basic multi-factor authentication.

If some of these terms are unfamiliar, don’t worry, we will go over them in this video.


These links have the details of the recent attacks. Krebs’ article in particular shows screenshots of some of the phishing pages used against several targets. Twitter was even quite open and posted publicly about their related security incident.

A different set of similar attacks happened over the last few years and are very serious. Amnesty International has three in-depth articles which detail phishing techniques used by seemingly politically motivated attackers against human rights defenders, journalists, and civil society organizations in the Middle East, Egypt, and Northern Africa during 2018 and 2019. This is a clear example of how attackers know their victims, and will use things they care about (security) to try and trick them.

Also not covered here are attacks on SMS based authentication where the phone network is leveraged via backbone connections or sim swaps to intercept the code that the victim was supposed to get. Read below to learn more about this:

The way I was able to make fairly clean phishing pages over the course of roughly a day was by using the open source phishing framework called Evilginx2 by Kuba Gretzky and hacking in some tweaks and javascript. If you’re interested in the details of how these attacks are done under the hood, or want to see some other great examples against other services, please see Kuba’s fantastic talk here.

Share this article:

Recommended content

What is Strong Authentication

Strong Authentication Definition Strong authentication is a way of safely and reliably confirming user identity. Multi-factor authentication (MFA) is one of the best options to establish trust with users, but actual strong authentication goes beyond MFA or two-factor authentication (2FA). When implementing MFA, at a minimum, follow the National Institute for Standards and Technology (NIST) ...


Yubico research reveals that cybersecurity best practices, including password protection, and employee training in the UK, France, and Germany are lackluster with the proliferation of employees working from home

We all know there have been major paradigm shifts in the workplace caused by the pandemic. With the explosion of working from home (WFH), millions of employees now call their basements and bedrooms home offices. Security professionals scrambled to put together employee onboarding and authentication protocols that met new cybersecurity requirements for remote employees. Over ...


Figma implements strong security for all its employees with Okta and the YubiKey

About our customer Figma Sources


SANS 2021 Password Management and Two-Factor Authentication Methods Survey

Read this report to learn about password management and the types of MFA solutions being used in industries