Never Share Your MFA Codes

Multi-factor authentication (MFA) is a fantastic security tool. It ensures that, even if a bad actor learns your password, they won’t be able to break into the account in question—at least, not without the trusted device associated with MFA.

That’s the key: MFA relies on codes sent to or generated by a trusted device, often your smartphone. You may receive an SMS with the MFA code, or launch your authenticator app to retrieve a secret code. But no matter how you access your MFA code, the important thing is that it’s you accessing the code, and no one else. If another party is able to see what your MFA code, that defeats the security of the tool entirely.

As such, stealing MFA codes is a growing tactics bad actors are adopting in order to break into accounts and compromise networks. If these actors can convince targets to share their MFA codes, they can bypass MFA’s protections and wreak havoc on your business or personal life.

Now more than ever, it’s essential to be on the lookout for these scams. Actors may try any number of techniques to trick you into sharing your MFA codes. If a bad actor knows your password, they may trigger MFA, knowing you’ll receive a code. They may then contact you via text or phone, claiming they need that code for verification purposes. If you share it, they’ll then be able to access your account.

However you’re contacted, remember one key thing: companies will never contact you directly, either by phone, text, or email, asking for your MFA code. MFA codes are only ever required when signing into your account, and this action will trigger the code request itself. If you ever receive an MFA code, and you didn’t initiate the request, assume there is a scam attempt in the works. Don’t respond to any requests for that code. Instead, change your password, and continue keeping your accounts and networks secure.