Making 2FA/MFA robust against smishing and related attacks

Traditionally, authentication of users of web and mobile applications has been done with  username/password logins. However, attackers soon found vulnerabilities that could be exploited. Users  might use weak passwords, use the same password for multiple accounts, share passwords, etc.; even  with strong passwords, attackers might use social engineering to persuade the human user to bypass  the protection, e.g., by revealing the password to the attacker, presenting the credentials to a malicious  site where they could be captured, and so on. 

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something  you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g.,  a biometric ID that is unique to you) [1]. 

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any  and all challenges presented by attackers.

▪ Just because something CAN be used as an authentication factor does not make it a good authentication factor. Using SMS to deliver a short-lived One-Time-Password (OTP) to a user’s  mobile phone (“something you have”), is an example of an authentication factor notorious for  its weaknesses. SMS relies on decades-old legacy technology with known vulnerabilities. 

▪ Implementation: the way an authentication factor is implemented can make a big difference in  the viability of attacks/hacks against it. A little-known fact is that most mobile authenticator  apps can be hacked surprisingly easily, e.g., attackers can get the seed to generate the same OTP  in another authenticator by exploiting a Trust Gap [2]. Hence, the implementation should be  well crafted to avoid various pitfalls.

▪ Resets/re-onboarding. Authentication factors need to be set up. Sometimes, they need to be reset, e.g., when a user forgets their password or when a software token is bound to a specific mobile device and the user gets a new phone. This introduces vulnerabilities that can be exploited. For example, if a helpdesk is involved, social engineering could be used to induce a  reset in the attacker’s favor. 

These days, cybercrime groups like UNC3944 [3] have reportedly been actively carrying out active attacks by exploiting vulnerabilities in the implementation and resets/re-onboarding of 2FA/MFA. Even some well-known organizations have been hacked. 

It is no longer enough to use just any 2FA/MFA. Besides choosing reasonably reliable authentication factors, it should come with well-crafted implementations and minimize or even eliminating the need for resets/re-onboarding. A  passwordless solution would eliminate the use of passwords that can be easily phished. Appropriate use of biometrics can also effectively eliminate the need for  2FA/MFA bypass or re-onboarding. Finally, a solution that can eliminate Trust Gap issues would have to be able to defend software against attacks and provide a  strong identity to the app in addition to the user. A good solution that can meet the above requirements for strong mobile-based 2FA/MFA is provided by V-Key ID  [4]. It builds on the foundations of V-Key’s V-OS Smart Token, a well-crafted implementation that solves Trust Gap issues, and adds innovations such as cross-platform privacy-enabled biometrics to minimize/eliminate resets/re-onboarding.  It can be used to provide strong 2FA/MFA for both your employees (using V-Key  Smart Authenticator) as well as your customers (incorporating V-Key ID within your app).


[1] NIST Special Publication 800-63 Part 3 “Digital Identity Guidelines,” 

[2] “Most mobile authenticator apps have a design flaw that can be  hacked”, Flaw-That-Can-Be-Hacked 

[3] “Why are you Texting Me? UNC3944 leverages SMS ..”, sim-swapping-ransomware?s=01 

[4] “Revolutionising Universal Digital Identities with V-Key ID,” digital-identities-with-v-key-id/ 


V-Key is an internationally-acclaimed software-based digital security company, headquartered in  Singapore, founded in 2011. V-Key’s pioneering mobile technology powers ultra-high-security solutions for mobile identity, authentication, authorization, and payments for major banks,  payment gateways, and government agencies. 

V-Key is the inventor of V-OS, the world’s first and only true patented virtual secure element that  uses advanced cryptographic and cybersecurity protections to comply with standards previously reserved only for expensive hardware solutions. V-OS’ tamper-resistant design allows for the secure storage of cryptographic keys, data, and application codes. The multi-layered security features of V-OS allow it to serve as the core security foundation on which a multitude of use cases can be built- Digital-only Bank, National Digital Identity, Digital Token, Smart Nation, Cardless ATM withdrawals, and Mobile Document Signing. 


Fintech Philippines Association is an independent, non–profit industry association representing the interests and growth of the Fintech community in the Philippines. Fintech PH aims to position the Philippines as a hub for technological innovation in financial services. 

We are the largest financial technology trade association in the country. Established in 2017, it consists of over 145 Advisory, Corporate and Individual members. 

Fintech PH is committed to furthering financial inclusion through technology and helping businesses from all industries harness financial technologies.


More Posts

The Role of Mobile App Security in Crypto Wallets

In 2020, the KuCoin exchange, a prominent cryptocurrency trading platform, suffered a  devastating hack, resulting in the loss of over $280 million in various cryptocurrencies. The attackers exploited a vulnerability