What types of attacks can MFA using an hardware authenticator prevent?
I recently looked into the topic of MFA in combination with some hardware authenticator (USB keys like Nitrokey/Yubico) to potentially improve the overall security of my digital daily activities (web email, online banking, etc). For this, I read several articles and watched some videos on the topic, but I still do not fully understand against what types of attacks an user is really protected.
Personally, I identified two cases and want to verify if my assumptions are correct
It protects my online account against phishing attacks
because, the password alone is not enough due to using MFA (regardless if it is a hardware authenticator or not)It protects against exploitation/hijacking my online account even in case my system (computer/phone) was recently compromised by some malware
I originally based this on the following quote from the WebAuthn Wikipedia site:
Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.
However, after reading an answer from another security thread, I think this can only be the case as long as the user does not approve any other request after the first initial login request, because the compromised machine could alter any legitimate request an user might send after login according to the following quote from the before cited link:
The hardware device confirms that the person holding the device the approved the action. However, it doesn't protect the integrity of the message the owner wanted to sign.
Related to this I have two more questions:
- What other types of attacks can be prevented by using MFA together with a hardware authenticator?
- Is their any scenario where MFA together with a hardware authenticator helps me if my system (computer/phone) is compromised?
Already a big thanks beforehand for answers my questions.
