Two-factor authentication: is it secure?
26th June 2025
While the National Cyber Security Centre* are still encouraging individuals and businesses to use it, is two-factor authentication (2FA) truly secure?
In the past few years, two-factor authentication has become the go-to extra level of security for all kinds of accounts. When logging you, not you have to access a verification code from another source, meaning that to breach your account hackers must work twice as hard.
While this has helped to keep accounts secure, in 2025 it has become clear that cyber criminals have found ways around this defence: is 2FA still a valid security measure? Or is it no longer viable? We explore how 2FA is being overcome and if it is still worth investing in.
Adversary-in-the-Middle (AiTM) Attacks: to obtain the 2FA code, hackers make a fake login page that looks identical to the legitimate one. Then when the user enters their password and the code, the bad actor has both and can log in to the actual account. The reason this attack works is often due to phishing and social engineering.
Session Hijacking: this happens after a 2FA session has been authenticated. If the attack can steal a session cookie, using malware or a man-in-the-middle attack, they can impersonate the user without needing to put in the 2FA themselves. This is a dangerous form of attack as it bypasses 2FA completely.
SIM Swapping: criminals can trick or bribe telecom employees into transferring your phone number to their SIM. Then when you request 2FA via SIM, they get the codes instead. As always, the biggest weak link in cyber security is people – it is best not the get 2FA through SMS for this reason: an app will be more secure.
Malware and Keyloggers: some malware can directly read or intercept 2FA notifications directly from your device, allowing cyber criminals to easily access them. Some malware can delete itself after use, so your account may be breached without your knowledge.
Evidently, 2FA has a lot of flaws that result in it not being the robust cyber security system that we had once thought it could be. While we still recommend you have it, as it is still an extra step bad actors must bypass to get to your private information, it is still important to have other threat detection and response measures in place, as 2FA isn’t invincible.
If you want to know more about the limitations of 2FA, as well as what other cyber security technology can help your business, please contact Interfuture Security.