█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Multi-Factor Authentication
35 minBeginner

Multi-Factor Authentication

After this lesson, you will be able to: Compare MFA methods (TOTP, SMS, push, hardware keys), and identify the realistic attacks against each.

Multi-factor authentication is the single biggest defense upgrade most accounts can make. But not all MFA is equal. SMS is far weaker than a hardware key. This lesson breaks down each method and the attacks they do (and don't) stop.

Prerequisites:Passwords and Authentication

The three factors

Authentication factors fall into three categories: something you know (a password, PIN), something you have (a phone, hardware key), and something you are (fingerprint, face). MFA combines two or more factors of different types. Two passwords aren't MFA, they're both 'know' factors.

TOTP, the standard six-digit code

Time-based One-Time Password apps (Google Authenticator, Authy, 1Password) generate a six-digit code every 30 seconds based on a shared secret and the current time. TOTP is offline, free, and resistant to most attacks. It's the recommended baseline for any account that supports it.

Secret key + clock
shared once at setup
→
HMAC-SHA1
recomputed every 30s
→
6-digit code
rotates with a countdown
TOTP: both sides derive the same code from a shared secret and the current time, so no code ever travels over the network.

💡 Why SMS MFA is the weakest option

SMS codes can be intercepted via SIM-swap attacks (an attacker convinces your carrier to port your number to their device) and via SS7 protocol weaknesses. Use SMS only when nothing else is available, and never for crypto, banking, or admin accounts.

Hardware keys (FIDO2 / WebAuthn)

A physical USB or NFC key (YubiKey, Google Titan) that performs a cryptographic challenge. Hardware keys are phishing-resistant, they verify the website's domain before responding, so a fake login page gets nothing. Required for high-value targets; strongly recommended for everyone running anything important.

How attackers bypass MFA

Push-fatigue attacks: spam approval requests until the user taps Allow out of frustration. Adversary-in-the-middle (AiTM) phishing: capture the session cookie after the user completes MFA on a fake site. MFA-bombing combined with social engineering still works against many users, defense is to enforce phishing-resistant MFA wherever possible.

Quick Check

Best MFA option for your most-important account?

Think about which method survives phishing, push-fatigue, and SIM-swap attacks.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Passwords and Authentication
Back to Identity and Access Management
Access Control Models→