The illusion of MFA

MFA has one weakness that puts every user at risk.

The core of authentication relies on checking three possible traits of a person:

1. Something you know (passphrase, PIN, information about your account)
2. Something you have (phone, hardware token, passport)
3. Something you are (Face ID, fingerprint, other biometrics)

MFA is supposed to check at least two of these factors, but there are situations where this is not the case, even if users have switched on MFA.

In London, there was more than 90,000 phone thefts (!) reported in 2022, which equates to 250 thefts each and every day. Recent data from the Crime Survey for England and Wales estimates that this number has grown by 150% between March 2023 and March 2024.

Many of these thefts are directly from the owner, as they walk on the street or around busy tube stations. Which brings us back to the vulnerability in MFA.

If an attacker steals an unlocked phone, then they have full access to the victim’s email, phone number, and authenticator app. Also, many phone apps are constantly authenticated and have very long or infinite expiration set on their tokens.

By stealing your unlocked phone, the attacker only really needs ‘something you have’, because the ‘something you know’ is accessed with the phone.

What can you do about it?

The thief will switch on flight mode immediately, so ‘Find My’ will not often work.

Enable Face ID or equivalent on email and authenticator apps. Apple have only just implemented this feature for all apps in iOS 18, so get on it!

Passkeys also help, as the attacker would need your phone PIN or Face ID to authenticate. But those apps would need to use the passkey every time, and not remain perma-authenticated like the Amazon app.

Can anyone think of other good security controls against this attack?