Security advice has hardened into a slogan: turn on two-factor authentication and you’ll be safe. The first half is correctโ2FA stops the vast majority of opportunistic attacks. The second half oversells it. Sophisticated attackers have spent years building tools specifically to defeat the most common forms of 2FA, and the gap between “much safer” and “actually safe” matters more than the marketing copy admits.
SMS-based 2FA is the weakest link
If your second factor is a text message, you’re protected against random password leaks but not against a determined attacker. SIM-swapping attacks, where a criminal convinces your carrier to port your number to a new device, have become routine enough that the FBI publishes warnings about them. Once they own your number, every SMS code flows to them. Phone carriers have improved their defenses, but social engineering still works often enough that high-value targetsโcrypto holders, executives, journalistsโget hit regularly. The cost to the attacker is a phone call and a forged ID. The cost to you is everything tied to that number. If you only do one upgrade after reading this, switch from SMS to an authenticator app or hardware key for your important accounts.
Phishing kits have caught up
Modern phishing kits like Evilginx and Modlishka don’t just steal passwords; they sit between you and the real site, capturing your 2FA code as you enter it and forwarding it within seconds. The user sees a legitimate login flow because, technically, they’re going through oneโjust via a malicious proxy. Authenticator apps don’t help here because the code is still being typed into a fake page. The only widely available defense is FIDO2-based authentication, which cryptographically binds the login to the actual domain. Hardware keys like YubiKeys and platform passkeys built into iOS and Android implement this. They’re not foolproof, but they break the proxy attack model entirely.
Session hijacking ignores 2FA altogether
Once you’re logged in, your browser holds a session token that proves you authenticated. Malware on your device can steal that token and replay it from another machine, skipping the login process entirely. Infostealer malware has exploded in recent years, with marketplaces selling stolen sessions in bulk. No amount of 2FA helps if the session itself walks out the door. The defenses are unsexy: keep your OS patched, avoid sketchy software, use a separate browser profile for sensitive accounts, and check active sessions in your account settings periodically. Some services now bind sessions to device fingerprints, which helps, but adoption is uneven.
The takeaway
2FA is still worth turning on everywhereโit raises the floor enormously. But treating it as a finish line rather than a checkpoint is how people get burned. If an account holds money, identity, or access to your livelihood, upgrade it from SMS to an authenticator app at minimum, and to a hardware key or passkey ideally. Pay attention to where you log in, what you click, and what’s running on your devices. Security is a stack, not a switch.
Leave a Reply