Virtual tokens are one-time passwords, usually a short series of numbers, that are delivered to the user by way of email, SMS message, or even a phone call.
The biggest problem is that with this mechanism is that with a targeted attack, using this method of authentication becomes a race condition.
None of these delivery mechanisms are secure so an attacker who is in the correct location, physical or logical, can easily intercept these tokens and authenticate to the system before the user can.
The phishing tools Modilishka, CredSniper, and Evilginx can intercept username, password, and a token entered by a user to a look-alike site, gaining access to the site while passing the user onto the site as well so the user doesn’t know the difference.
A hardware token is not susceptible to this type of attack.
Another threat to virtual tokens is that phone companies can be fooled into transferring a phone number to a different SIM card allowing an attacker to receive a MFA token instead of the user.
And finally, any outage to the infrastructure supporting the delivery of the token will render the user or users unable to receive the necessary information to log into their systems.
That includes the cellular network, Internet connection, email server, SS7 SMS delivery network, and other components, all of which are outside of the control of the system owner.
The Federal Bureau of Investigations (FBI) released a bulletin regarding attacks to U.S. banking institutions and their customers that were using these types of tokens back in 2019.
The attacks went back to 2016 and involved SIM swapping to circumvent two-factor authentication.
In 2019, the Muraena and NecroBrowser phishing tools were shown intercepting network traffic that led to the recovery of enough information to gain access to secured systems.
The system cannot defeat USB hardware tokens with support for the Universal 2nd Factor (U2F) standard, however.
Solutions based on codes received over SMS or generated by a mobile authenticator app are vulnerable.