Skip to content

Does enabling MFA make an account impossible to phish?

Short answer

No. MFA raises the bar a lot, but OTP and push factors are phishable: adversary-in-the-middle kits (e.g. Evilginx) proxy the login and relay the code in real time, and MFA-fatigue/push-bombing tricks users into approving. Captured codes are reusable within their short window. The misconception is 'MFA = unphishable'; the factor type is what matters. Phishing-resistant MFA — FIDO2/WebAuthn passkeys bound to the site's origin — is what actually defeats this.

MFA is one of the highest-value security controls you can deploy — but "MFA = unphishable" is a dangerous overstatement that has been disproven by major real-world breaches. This question tests whether a candidate knows that not all MFA is equal.

Most MFA in the wild is OTP (a 6-digit code from SMS or an authenticator app) or push (approve on your phone). Both share a fatal property: the user can be tricked into handing the proof to an attacker. An adversary-in-the-middle (AiTM) phishing kit such as Evilginx hosts a reverse proxy on a look-alike domain. The victim "logs in" through it; the kit relays the username, password, and the freshly entered OTP to the real site in real time, completing the login and stealing the resulting session cookie. The 30-second rotation doesn't help — the attacker uses the code inside that same window. MFA fatigue / push bombing is even simpler: spam the user with approval prompts until, annoyed or confused, they tap Approve. SMS adds SIM-swap and interception risk on top, so it is among the weakest factors, not phishing-proof.

What actually resists phishing

The defense is phishing-resistant MFA: FIDO2 / WebAuthn security keys and passkeys. These use public-key cryptography where the private key never leaves the device, and the browser cryptographically binds the assertion to the origin of the site requesting it. If the user is on a phishing domain, the signature simply won't validate for the real site — there is no shared secret or code to relay, so the AiTM proxy has nothing to forward. Smart-card / PIV certificates give the same origin-bound property.

The takeaway

Frame MFA as a spectrum: SMS < authenticator OTP < push-with-number-matching < FIDO2/WebAuthn. Turning on any MFA blocks credential-stuffing and basic password reuse, which is why it's still essential. But to claim an account is unphishable, you need origin-bound, phishing-resistant factors. The misconception isn't "MFA is useless" — it's assuming the checkbox alone closes the phishing door.

Likely follow-ups

  • How does an adversary-in-the-middle proxy defeat a time-based OTP in practice?
  • Why is FIDO2/WebAuthn phishing-resistant when OTP and push are not?
  • What is MFA fatigue, and which UX change mitigates it?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.