Still getting login codes via text or authenticator apps? You’re not alone—and that’s a big problem. What used to feel like a smart security layer is now one of the easiest ways for attackers to gain access to your accounts.
First we were told to use SMS for MFA. Then we were told: “Don’t use SMS for MFA, use an authenticator app instead.”
And while that may seem like a step forward, it’s still fundamentally flawed. Authenticator apps do improve over SMS by avoiding message interception, but they are easily fished (every day now) and often rely on time-based codes that can also be phished, relayed, or even intercepted if the device is compromised.
The core issue remains: the system has no idea whether it’s being used on the legitimate site or a perfect fake. So while it’s a different system, it’s not a secure one—just a broken version of the same problem.
Want proof? Recent high-profile breaches (Including Aflac, Erie Insurance and Philadelphia Insurance Companies) showed exactly how easy this is.
Some were calls to IT help desks asking for an MFA bypass or reset. But the favorite is quickly becoming a phishing/spoof trick.
A phishing email lands. The user clicks. The spoofed website is pixel perfect. They enter their username, password, and they confirm it’s them on their auth app. Done. The attacker is in.
Because the authenticator app doesn’t verify who is asking or where the request came from - you become the attack vector.
CISO Guide: Stopping Ransomware with Next-Gen MFA Download to explore how ransomware attacks are evolving and why legacy MFA can’t keep up. This guide reveals the real-world impact of phishing-resistant MFA, how it stops ransomware before damage is done, and why CISOs are switching to next-generation authentication. Read the CISO Guide
This is what no one wants to say out loud: authenticator apps and SMS codes can be phished in real time. They give users a false sense of security while offering little to no actual protection against the most common threat today—spoofed websites paired with social engineering.
... continue reading