The Problem with One-Time Codes and Push Notifications

MFA methods like one-time codes and push notifications were put in place to reduce risks related to compromised or hacked passwords. MFA adds a second layer of security in the form of an additional authentication factor that must be entered along with the username and password. The most common forms of MFA are time-limited one-time codes (which may be sent via email or SMS text or generated by an authentication app at the time of login) and push notifications sent to a trusted device (such as a smartphone). These phone-based methods of MFA are meant to confirm the identity of the person entering the login credentials; the user must have access to a trusted smartphone/device to complete the login.

In theory, this prevents unauthorized logins by people who have acquired user credentials through a data breach or brute force hacking. If they don’t have the user’s phone, they can’t get the one-time code or push notification to complete the login attempt. However, cybercriminals have moved to highly sophisticated forms of phishing and other attacks specifically targeting these forms of MFA. For example:

Click Here to Read the Rest