Two-factor authentication is one of the most effective security controls available. Rapid7’s 2025 incident data found that 56 percent of all account compromises occurred in accounts with no MFA enabled. That statistic makes the case for 2FA clearly.
But 2FA is not a uniform standard. The methods described in most introductory guides as reasonable alternatives (SMS codes, time-based one-time passwords, push approvals) are now reliably bypassed by Adversary-in-the-Middle (AiTM) phishing kits that operate at scale. Microsoft tracked a 146 percent rise in AiTM attacks during 2024. Tycoon 2FA, one of the most active Phishing-as-a-Service kits, earned a threat score of 4.8 out of 5 from security researchers in early 2025 based on infrastructure monitoring. These kits intercept both your password and your OTP code in real time, capture your session token, and give an attacker full access to your account without triggering any MFA prompts.
Understanding 2FA in 2026 means understanding this distinction: some 2FA methods are now bypassable at scale, and some are genuinely phishing-resistant by design. This guide covers how each method works, precisely why some are vulnerable and others are not, and the connection between 2FA and the SSL certificate infrastructure this site is built around.
What Two-Factor Authentication Is
Authentication is the process of proving you are who you claim to be to a system. Most systems use credentials: a username identifies you, a password proves you are who the username says. Passwords have one fundamental problem: they are knowledge that can be copied. Anyone who learns your password can impersonate you completely.
Two-factor authentication requires proving identity through two independent categories of evidence rather than one:
- Something you know: A password, PIN, or security question answer. Information that should exist only in your memory.
- Something you have: A physical device (phone, hardware key, smart card) or a time-based code that only the holder of a specific registered device can produce.
- Something you are: A biometric: fingerprint, face scan, or voice pattern unique to your physical person.
True 2FA requires two different categories. A password plus a PIN is not 2FA; both are something you know. A password plus a code sent to your phone is 2FA: something you know (the password) plus something you have (the phone that receives the code).
The theory is sound: an attacker who steals your password does not automatically have your phone. They would need to compromise both independently. The practical security depends on how the second factor is implemented.
The 2FA Methods: How Each Works and What Each Stops
SMS one-time passwords
When you log in, the server sends a short numeric code to your registered phone number via SMS. You enter the code to complete authentication. The code typically expires in 5-10 minutes.
SMS 2FA is the most widely deployed method because it requires no app installation: any mobile phone can receive SMS. The weaknesses are significant. SIM swapping attacks convince a mobile carrier to transfer your phone number to an attacker’s SIM card; all subsequent SMS codes go to the attacker. The SS7 telephony protocol has known vulnerabilities that allow interception of SMS in some circumstances. AiTM phishing kits intercept the code in real time as you enter it on the proxy page and replay it to the real service before it expires.
TOTP: time-based one-time passwords
TOTP (defined in RFC 6238) generates a six-digit code every 30 seconds using a shared secret stored in the authenticator app (Google Authenticator, Authy, Microsoft Authenticator, Bitwarden, and others). The server and your app share the same secret and the same algorithm, so they generate the same code at the same time. When you log in, you enter the current code from the app.
TOTP eliminates the SIM-swapping attack because no SMS is involved. It is much better than SMS for most threat models. Against historical phishing (where an attacker collected credentials and tried them later), TOTP was highly effective: a stolen TOTP code expired in 30 seconds, useless by the time the attacker tried it.
Against AiTM phishing, TOTP provides inadequate protection. A live proxy captures your TOTP code as you enter it on the phishing page and immediately forwards it to the real service. The 30-second expiry window is longer than the relay takes. The code is valid, the relay is instant, and the attacker obtains a valid session. TOTP was designed to defend against stored credentials; it was not designed to defend against real-time relay attacks.
Push notifications
Push notification 2FA sends a login approval request to your registered phone app (Microsoft Authenticator, Duo, Okta Verify). You approve or deny the request. More secure implementations include number matching: the login screen shows a number you must select on the push notification to approve, preventing blind approvals.
Push notifications without number matching are vulnerable to MFA fatigue attacks. In September 2022, the Lapsus$ group breached Uber by purchasing a contractor’s credentials and then bombarding the contractor with push notification approvals for over an hour. The contractor eventually approved one request to stop the notifications. The attacker, posing as Uber IT support via WhatsApp, encouraged the approval. Push notifications with number matching are more resistant to fatigue attacks, but AiTM proxies have added support for capturing push approvals too: the proxy sends the approval request to the real service on behalf of the victim.
TOTP and push: the shared vulnerability
Both TOTP and push notifications share a fundamental weakness against AiTM attacks: they produce authentication artifacts (codes, approvals) that can be relayed. The second factor is something the user produces or approves, and the proxy captures and forwards it. The authentication is valid from the service’s perspective. The session cookie issued after authentication is then stolen by the attacker.
TOTP and push notification MFA provide significant protection against password-only attacks and unsophisticated phishing. They do not provide protection against AiTM proxy attacks, which are now commoditized through Phishing-as-a-Service platforms. For accounts where compromise would be catastrophic (corporate admin access, financial systems, email accounts used for password resets on other accounts), TOTP and push are insufficient as the sole additional factor. Phishing-resistant MFA is required.
FIDO2 hardware security keys
FIDO2 hardware security keys (YubiKey, Google Titan Key, and others) are physical USB or NFC devices that perform a cryptographic challenge-response operation during authentication. The key generates a unique key pair for each registered service. The private key never leaves the hardware device. During login, the service sends a challenge that only the matching private key can sign. The browser provides the service’s origin (domain) as part of the challenge.
The phishing resistance mechanism is origin binding. When you register the security key with a service, the registration is bound to the exact origin (scheme, hostname, port) of that service. During authentication, the authenticator checks that the challenge came from the same origin as the registration. A phishing site at a different domain cannot generate a valid challenge for a different origin. The authentication computation fails. The user is not tricked because the device will simply not authenticate to the wrong domain, regardless of how convincing the phishing site looks.
This is not a UX-level check. The domain binding is enforced at the cryptographic level by the authenticator hardware. An AiTM proxy between the user and the phishing site cannot forge a valid origin challenge from the legitimate site’s domain. The authentication cannot be completed on the phishing infrastructure.
Passkeys (FIDO2 platform authenticators)
Passkeys are FIDO2 credentials stored in platform authenticators: the Secure Enclave on Apple devices, the Trusted Platform Module on Windows, or equivalent secure hardware on Android. They are unlocked via the device’s biometric (Face ID, Touch ID, Windows Hello) or PIN. They can sync across a user’s devices through encrypted cloud storage (iCloud Keychain, Google Password Manager, Microsoft account, or a third-party password manager).
Passkeys have the same phishing resistance as hardware security keys through the same origin-binding mechanism. The credential generated during registration is bound to the site’s exact origin. The passkey authentication fails on any other domain. Unlike hardware security keys, passkeys do not require carrying a physical device: they are available on any device where the user’s synchronized credentials are available.
Passkeys represent the evolution from 2FA (password plus second factor) toward passwordless authentication (no password at all, just the passkey). The credential is cryptographically strong and phishing-resistant without requiring the user to manage a password at all. Most major platforms now support passkeys: Google, Microsoft, Apple, GitHub, financial institutions, and a growing number of consumer and enterprise services.
2FA Methods Compared: Security, Phishing Resistance, and Practicality
| Method | Stops password theft | Stops SIM swap | Stops TOTP replay | Stops AiTM proxy | Stops push bombing | Phishing-resistant by design |
| SMS OTP | Yes | No | N/A | No (relayed in real time) | N/A | No |
| TOTP (authenticator app) | Yes | Yes | Yes (30s expiry vs stored creds) | No (relayed in real time) | N/A | No |
| Push notification (no number match) | Yes | Yes | N/A | No | No | No |
| Push notification (number matching) | Yes | Yes | N/A | Partial (harder but not eliminated) | Harder | No |
| FIDO2 hardware key | Yes | Yes | Yes | Yes (origin binding) | N/A | Yes |
| Passkeys | Yes | Yes | Yes | Yes (origin binding) | N/A | Yes |
Why FIDO2 Phishing Resistance Actually Works: Origin Binding Explained
The phishing resistance of FIDO2 and passkeys is often described as a feature without the mechanism being explained. The mechanism is origin binding, and it is important to understand precisely because it is what makes FIDO2 categorically different from all earlier 2FA methods.
During registration, the browser and authenticator receive the service’s origin: the exact combination of protocol, hostname, and port (for example, https://accounts.google.com). This origin is cryptographically incorporated into the registration data. The key pair generated for that service is mathematically tied to that specific origin.
During authentication, the service sends a challenge. The browser provides the service’s origin as part of the data the authenticator signs. If an AiTM proxy is operating between the user and the legitimate service, the proxy has its own domain (for example, https://accounts.g00gle.com or any other lookalike). When the authenticator is asked to sign the challenge, it receives the proxy’s origin. The origin does not match the origin bound to the registered credential. The authentication fails. The user sees a failure message; the proxy has nothing to forward to the real service.
The key insight is that origin binding is not a UI check that a user might skip or bypass. It is a constraint enforced by the cryptographic computation inside the authenticator. No amount of social engineering convinces the hardware to authenticate to the wrong domain. No AiTM proxy can generate valid FIDO2 assertions for a domain it does not control.
The SSL certificate connection: FIDO2 origin binding and SSL certificate validation address the same threat from different directions. SSL certificates confirm the domain is operated by the verified entity (via CA validation). FIDO2 origin binding confirms the authentication credential was registered for this exact domain. An attacker with a lookalike domain fails both checks: the certificate is not from the legitimate CA, and the FIDO2 credential will not authenticate to the wrong origin. Together they form a strong barrier against lookalike-domain attacks that neither provides alone.
How AiTM Phishing Bypasses Traditional 2FA: The Mechanics
Adversary-in-the-Middle phishing kits set up a proxy server that sits between the victim and the real service. The victim visits a convincing lookalike URL, sees a genuine login page (because the proxy is forwarding the real site’s content in real time), and enters their credentials. The proxy captures the credentials and forwards them to the real service. The real service requests the second factor. The proxy forwards the request to the victim, who enters the TOTP code or approves the push notification. The proxy captures the response and forwards it to the real service, which issues a session cookie. The proxy captures the session cookie and the attacker loads it into their own browser, authenticated as the victim, without any further prompts.
The victim sees what appears to be a failed login or is redirected to the real site after a delay. They may not know anything has happened. The session token is valid for hours or days. The attacker uses it to read email, exfiltrate data, send BEC emails from the victim’s account, or access connected services.
Tycoon 2FA, tracked by security researchers including Sekoia.io in early 2025, is one of the most sophisticated Phishing-as-a-Service platforms implementing this technique. It earned the highest threat score in Sekoia’s monitoring infrastructure. EvilProxy, Evilginx, and similar tools are freely or commercially available to attackers with no advanced technical skill required.
Choosing the Right 2FA Method: A Practical Framework
The right method depends on the risk profile of the account and the practical constraints of implementation. Not every account needs hardware security keys; not every account can be adequately protected by SMS codes.
| Account type | Minimum adequate method | Recommended if feasible | Notes |
| Personal social media and low-value services | SMS or TOTP | TOTP; enable passkeys if available | SMS is acceptable when the account has limited consequence; TOTP is better |
| Personal email (used for password resets on other accounts) | TOTP minimum | Passkey or FIDO2 hardware key | Compromise of email grants access to every service that uses it for password reset; treat as high-value |
| Online banking and financial accounts | TOTP minimum | Passkey; or hardware key | Most banks now support passkeys; use them when available |
| Corporate email and M365/Google Workspace accounts | TOTP minimum; number-matched push | Passkey or FIDO2 hardware key | Corporate email is the primary target of BEC campaigns; TOTP is bypassable by AiTM; phishing-resistant MFA is warranted |
| Admin and privileged access (cloud consoles, domain admin, root) | FIDO2 hardware key or passkey required | Hardware key for shared admin accounts; passkey for individual admin accounts | Admin compromise has organization-wide consequences; TOTP is insufficient for these roles |
| Developer tools (GitHub, CI/CD, cloud infrastructure access) | TOTP minimum | Passkey or hardware key | Supply chain attacks via developer account compromise are a documented threat vector |
Implementation for Individuals and Organizations
For individuals
- Enable passkeys on your primary email account first. Email compromise is the key that unlocks password resets on every other account.
- Enable passkeys on financial accounts where supported.
- Use TOTP rather than SMS wherever both options exist and passkeys are not available.
- Store TOTP secrets and backup codes in a password manager with its own strong 2FA.
- Keep backup codes for critical accounts in a physically secure location, not in a note app.
- Do not approve MFA push requests you did not initiate, regardless of urgency claimed by anyone contacting you.
For organizations
- Require phishing-resistant MFA (FIDO2 or passkeys) for all administrative and privileged roles without exception.
- Require at minimum TOTP or number-matched push for all employee accounts.
- Eliminate SMS OTP for corporate accounts; the SIM swap and AiTM exposure is unacceptable for organizational accounts.
- Disable legacy authentication protocols that bypass MFA (Basic Auth in Exchange, SMTP AUTH for email clients that do not support OAuth). These are active attack paths.
- Monitor for new MFA factor enrollment and suspicious login patterns as a detection control alongside MFA prevention.
- Enable Conditional Access or equivalent: require re-authentication on new devices, unusual locations, or high-risk behavior patterns.
The most impactful single step for most organizations is eliminating legacy authentication protocols. An attacker who knows credentials can use Basic Auth or SMTP Auth directly against Exchange or email infrastructure and completely bypass MFA, because these protocols were designed before MFA existed and do not support it. Microsoft, Google, and most enterprise email platforms allow blocking legacy auth protocols at the tenant or organization level.
Frequently Asked Questions
What is two-factor authentication?
Two-factor authentication (2FA) requires proving identity through two independent categories of evidence to access an account: typically something you know (a password) and something you have (a device that generates or receives a time-limited code). The two-factor requirement means an attacker who steals only your password cannot access the account without also compromising the second factor. 2FA is also called multi-factor authentication (MFA) when it involves two or more factors; the terms are often used interchangeably.
Is SMS 2FA still safe to use?
SMS 2FA is substantially better than no 2FA and protects against the most common attack: password theft from a data breach. An attacker who obtains your password still cannot log in without your SMS code. However, SMS has specific weaknesses: SIM swapping (convincing a carrier to transfer your number) and AiTM phishing (a proxy that captures your SMS code in real time and relays it to the real service before it expires). For low-value personal accounts, SMS is acceptable. For email accounts, financial accounts, or corporate accounts, TOTP is better than SMS, and passkeys or hardware security keys are better than TOTP.
What is the difference between TOTP and passkeys?
TOTP (time-based one-time password) generates a six-digit code every 30 seconds from a shared secret in your authenticator app. It protects against password theft and unsophisticated phishing but can be bypassed by AiTM proxy attacks that intercept the code in real time. Passkeys use FIDO2 public-key cryptography bound to the exact origin (domain) of the service. They cannot be relayed by an AiTM proxy because the authentication computation checks the domain and fails on any domain other than the one the credential was registered with. Passkeys are phishing-resistant by cryptographic design; TOTP is not.
What is an AiTM attack and how does it bypass 2FA?
Adversary-in-the-Middle (AiTM) phishing places a proxy between the victim and the real service. The victim sees a convincing login page (forwarded in real time by the proxy), enters their credentials and second factor, and the proxy captures both and forwards them to the real service. The real service issues a session cookie, which the proxy steals. The attacker loads this session cookie and is authenticated as the victim without any further MFA prompts. TOTP and push notification 2FA are bypassed because the second factor is a value that can be relayed. FIDO2/passkeys are not bypassed because the authentication is computationally bound to the legitimate domain’s origin and fails on the proxy’s domain.
How do passkeys relate to SSL certificates?
Both passkeys and SSL certificates use origin binding to authenticate domains and prevent impersonation. An SSL certificate, issued by a Certificate Authority, proves that a domain is operated by a verified entity. When a browser validates the certificate, it confirms the domain matches. A passkey is a credential cryptographically bound to the exact origin where it was registered. When a user authenticates with a passkey, the authenticator confirms the domain matches the registered origin. An attacker with a lookalike domain fails both checks: the certificate does not match the legitimate CA issuance, and the passkey credential does not authenticate to the wrong origin. They are complementary controls addressing the same category of threat from the transport layer and the application layer respectively.
