Two-Factor Authentication Won't Save You — Here's What Will
That's exactly what an Uber contractor thought in September 2022. He had MFA enabled. Every login attempt triggered a push notification to his phone. He kept tapping "Deny." And the attacker — a teenager who bought stolen credentials off the dark web — just kept trying. Push after push after push. Forty notifications in thirty minutes. Then the attacker messaged the contractor on WhatsApp, pretending to be Uber IT support: "Just approve the next one and they'll stop." So he did. The attacker was inside Uber's entire corporate network within two hours.
Two-factor authentication didn't fail because it was bypassed technically. It failed because a tired human got harassed into opening the door himself.
The Part Nobody Tells You
Here's the uncomfortable truth: there's no such thing as a single layer of security. Two-factor authentication is a speed bump, not a wall. And the people trying to break into your accounts have already mapped every gap in it.
The biggest gap is SMS-based 2FA — the kind where a six-digit code gets texted to your phone. This is what most banks default to, what most people use, and what most people think is "secure enough." It isn't. According to the FBI's Internet Crime Complaint Center, SIM swapping attacks — where criminals convince your mobile carrier to transfer your phone number to a SIM card they control — resulted in nearly $26 million in reported losses in 2024 alone. VikingCloud
Once they have your number, every SMS code you were counting on now goes to them. They don't need your phone. They need one cooperative or bribable customer service rep at your carrier.
How Your Phone Number Gets Stolen Without Touching Your Phone
The attack is brutally simple. Someone collects details about you — your name, address, last four of your Social Security number, maybe your carrier account PIN — through a data breach, a phishing email, or just combing through your social media. Then they call your mobile carrier, pretend to be you, and say they lost their phone.
A Princeton study found that researchers could successfully port a number at major North American prepaid telecom companies by answering just one security question correctly Phishlabs — information that's frequently already available from previous breaches or public records.
Your carrier deactivates your SIM. Their SIM activates with your number. Your phone shows "No Service." And you have maybe ten minutes before they're into your email, your bank, your crypto wallet — anything that can be reset via a text message.
The counterintuitive part: it doesn't matter whether those sites use SMS 2FA. If your email password can be reset through a text to your phone number, every account tied to that email is now accessible. One pivot point cascades everywhere.
The Attack That Doesn't Even Need Your Password
SIM swapping requires some setup. The other dominant bypass technique requires almost none.
It's called MFA fatigue, or push bombing. The attacker already has your username and password — not difficult, given that billions of credentials are sitting in breach databases available on the dark web. They log in repeatedly, triggering push notification after push notification on your phone. They do it at 11pm. At 2am. During your lunch break.
Most people, after 20 or 30 notifications, either assume it's a glitch and approve one to make it stop, or get socially engineered by someone calling them pretending to be tech support. According to a 2022 State of Passwordless Security report, this style of attack increased 33% year over year — and that data was collected before the Lapsus$ group made push bombing a mainstream tactic. Hypr
This isn't a niche attack. Microsoft, Cisco, Cloudflare, MGM Resorts — all hit with variations of this technique. The common thread isn't weak technology. It's exhausted people.
What Actually Works
The good news is that the fix is genuinely more secure, not just differently inconvenient.
Ditch SMS codes entirely. Replace them with an authenticator app — Google Authenticator, Authy, or Microsoft Authenticator. These apps generate codes locally on your device that never travel over any network. A SIM swap can't intercept them because there's no text to intercept.
Go further with a hardware key. Devices like a YubiKey plug into your computer's USB port or tap against your phone via NFC. You physically have to touch the device to authenticate. No push notification to bomb, no SMS to intercept, no code to phish. Cloudflare survived the same attack that breached Uber specifically because they'd already deployed hardware keys — the attacker's approved push notification produced nothing.
Lock your carrier account down. Call your mobile provider and set a port freeze or a number lock. Some carriers call it a "SIM lock" or "account takeover protection." This means your number cannot be transferred without an in-person visit to a store with a photo ID. T-Mobile, Verizon, and AT&T all offer some version of this — you just have to request it.
Use a unique email for security-critical accounts. Your banking email should not be the same address you use for newsletters, shopping, or anything that's likely been in a breach. A dedicated address that you never give out reduces your attack surface significantly.
Know what an attack feels like. If you suddenly get a flood of MFA push notifications you didn't initiate, that's not a glitch — someone has your password and is trying to get in. Don't approve anything. Change your password immediately (from a different device if possible), then report it to your account's security team.
The One Thing That Surprises People
Most articles assume you're the target of an opportunistic attacker running automated scripts. The scarier truth is that SIM swapping attacks are often deeply personal and manually researched.
In 2018, crypto investor Michael Terpin had $23.8 million stolen through SIM swapping by attackers who specifically targeted him after he publicly discussed his cryptocurrency holdings. Wikipedia The attackers spent time learning about him before making a single phone call.
If you talk about money, crypto, or financial assets publicly online, you're advertising to a very specific category of criminal. The attack starts long before the phone call to your carrier.
The Honest Limitation
Here's where I won't lie to you: even hardware keys can be circumvented if an attacker gains physical access to your device, or if a service falls back to SMS when you claim to have lost your key. That fallback option — built into most platforms to avoid locking users out permanently — is often the easiest path in. No security system is closed-ended. What you're doing is making yourself the hardest target in the room, not an impossible one. The goal is to ensure that breaching you costs more effort than an attacker is willing to spend.
Two-factor authentication is still worth having. But treating it as a finished solution is what gets people hurt.
Sources:
- FBI IC3 / Viking Cloud
- Wikipedia (SIM swap attack)
- PhishLabs (Princeton SIM swap study)
- 2022 State of Passwordless Security (via HYPR)