Are your Accounts Secure? Why Your Authenticator App Isn’t Enough

Discover how modern phishing attacks bypass TOTP apps, and why hardware-backed MFA like YubiKey is the upgrade your account security desperately needs.

Author

Leonardo Furtado
June 17, 2025

In partnership with

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

The MFA Illusion

Multi-Factor Authentication (MFA) has become the standard advice for securing online accounts. And for good reason: it adds a critical second layer of protection beyond passwords. But not all MFAs are created equal, and in today’s sophisticated threat insanity, that distinction is more important than ever.

Many users and even organizations rely heavily on TOTP-based MFA apps like Google Authenticator or Microsoft Authenticator, believing they are protected from phishing, fraud, and account takeovers. This belief, however, can be dangerously misleading. These apps do increase security, but only to a point. They were never designed to defend against the targeted, real-time attacks that cybercriminals now routinely deploy.

Modern attackers have evolved. They no longer need to steal passwords or brute-force logins. Instead, they exploit session hijacking, man-in-the-middle phishing proxies, and social engineering attacks that sidestep time-based codes entirely. Sophisticated toolkits like Evilginx2 automate this process, making it trivial for attackers to intercept not just login credentials, but entire authenticated sessions, even with TOTP MFA in place.

This article is a wake-up call.

We’ll explore:

  • Why TOTP apps are fundamentally vulnerable by design.

  • How real-world attacks are rendering them increasingly ineffective.

  • Why phishing-resistant MFA, such as FIDO2/WebAuthn with hardware security keys like YubiKey, offers a radically more secure model.

  • And how to make the shift before your "MFA-protected" accounts become low-hanging fruit.

It’s time to stop treating TOTP as a bulletproof vest. The threats have changed; our defenses must evolve, too.

Subscribe to keep reading

This content is free, but you must be subscribed to The Routing Intent by Leonardo Furtado to continue reading.

Already a subscriber?Sign in.Not now