Go to main content | Go to main menu

Not all factors are created equal. Or why verification codes aren’t enough.

Multi-factor authentication (MFA) is now a common protection against password misuse. When logging in, we are used to entering one-time verification codes from email, SMS, or an app. However, this method has a critical weakness. In this article, we reveal the vulnerabilities of verification codes and show how to ensure security without sacrificing convenience.

30 Oct 2025 Dávid Magušin Threats

You take cybersecurity seriously, which is why you’ve set up multi-factor authentication (MFA) on your social media accounts, email, information systems, and online services. Entering a code sent to you by email, SMS, or a mobile app can be annoying, but you’re willing to tolerate this inconvenience for the sake of stronger security. But what if this inconvenience is partly unnecessary and not as secure as you think? In this article, we’ll explore the risks of one-time verification codes as a method of multi-factor authentication and introduce a solution that is both more convenient and more secure.

How do one-time verification codes work?

One-time codes are one method of multi-factor authentication. When you log in, you receive a one-time code via SMS, email, or a mobile app. You enter this code into the system, which confirms that it is really you logging in. An attacker who knows only your password cannot access your account this way. This is true, for example, if the attacker obtained your login credentials in a data breach and is now trying to use them to sign in. But what if the attacker anticipates that you have this method of multi-factor authentication enabled?

No description

Phishing vs. codes 1:0

As the saying goes, “attackers are always one step ahead” — and unfortunately, this is not just an empty phrase. Attackers try to obtain your verification codes. They often do this by tricking you into clicking a link that takes you to a fake website, which can only be recognized by a small change in the address (for example, “munl” instead of “muni”). If you then enter your password and one-time code on that page, you are giving them directly into the attacker’s hands. And that’s when the problem arises.

No description
No description

However, there is a solution — you can set up a software security key as your method of multi-factor authentication (also referred to as a security key, access key, or passkey, operating according to the WebAuthn standard).

What is a security key?

It is a digital token or program tied to a physical device (laptop/desktop, mobile/tablet). You click it, touch your finger, or scan your face — that’s how conveniently a security key works. The key is unique, cannot be forged, and will not function with any fake “lock” — i.e., a fraudulent website. Convenient and secure — let’s explain the principle of this key a little further.

You don’t enter any codes. You don’t type anything into a form, so an attacker can’t rely on someone “entering” a code on a fake site.

Security always comes first. The key automatically verifies the genuine service — a fake site cannot gain authentication.

It is very convenient. You confirm your login with a simple click, fingerprint, or facial scan — no code entry is required.

No description

No description

No description

What does using a security key look like in practice?

Examples of using a security key for MUNI Unified Login services at MUNI — access across different platforms.

Bitwarden

Bitwarden password manager — you can save the security (access) key in the browser extension and confirm authentication with a single click.

No description
Windows Hello

Windows Hello — sign in using a fingerprint or facial recognition on Windows.

No description
macOS

Touch ID (MacBook) — sign in using a fingerprint on a Mac.

No description

That sounds almost too good to be true, right? Yes, there is a catch. Actually, three catches:

  • Requires initial setup – a few extra minutes, but then it works hassle-free

    If you want to set up this method, for example at Masaryk University, we have video tutorials that will guide you through the entire process. We also offer a group workshop where our experienced instructors can help you set it up in person. For other services, look in the settings for multi-factor authentication and setup using a security/access key.

  • Not every service currently supports the security key method

    Not every service supports the security key method yet, although it is gradually being adopted. At MUNI, you can set it up for MUNI Unified Login services. In the IS MU system, this option is not available yet, but you can now confirm login using the IS MU Notifications App on your phone. The security key is also available for some other services, such as Google, Microsoft, X (formerly Twitter), or LinkedIn — in these cases, it can even fully replace passwords. When logging in, you only need to enter your username or email and then confirm the login, for example, by using a fingerprint.

    Currently, some companies are introducing so-called “passwordless” systems, where the security key (passkey) completely replaces the password — the user simply enters their username or email when logging in and then confirms the login, for example, with a fingerprint or facial recognition.

  • Requires a compatible device

    On some computers or laptops that don’t support sign-in methods such as fingerprint or facial recognition, it’s not possible to use a security key directly on the device. If you want to check whether your device supports this feature, you can test it here:

    Test your device

    Even if your device doesn’t support this feature, there’s a solution — you can store your security key in a password manager (a vault where you keep all your passwords), such as Bitwarden, and use it on other devices — on another computer or on your mobile phone. Bitwarden is free, and so far there have been no reported security incidents that would call its reliability or safety into question. In addition, it can automatically fill in your login details, and you can use the security key simply by clicking the confirmation button. We also have a video tutorial and a group workshop to help you with installation and use.

A final word

Multi-factor authentication is an important step toward increasing the security of your accounts, but not all methods are equally effective. One-time codes do provide an extra layer of protection, but they can still be vulnerable to phishing or theft. That’s why we recommend using a software security key. It automatically verifies that you are signing in to the correct service and cannot be used on a fake website. Signing in is quick and simple — just a click, fingerprint, or facial recognition. Although this method has some limitations, there are ways to overcome them — for example, by using a password manager that stores your security key and allows you to use it even on devices without biometric login. A security key significantly increases the protection of your accounts against misuse and, in particular, against phishing attacks. And if you’d like to learn more about cybersecurity, you can start with the Cybercompass course.

You are running an old browser version. We recommend updating your browser to its latest version.

More info