Nowadays, cyberattacks are growing at an alarming rate, causing widespread havoc to the digital community. In particular, authentication attacks have become a dominant attack vector, allowing intruders to impersonate legitimate users and maliciously access resources. Traditional single-factor authentication (SFA) protocols, which rely on such as a single authentication factor, such as passwords, PINs, pre-shared keys, and biometric identifiers, among others, are often insufficient to address the growing sophistication of modern cyberattacks. They are often bypassed by side-channel or other attack techniques, rendering them inadequate to meet current authentication requirements. To address these shortcomings, multi-factor authentication (MFA) protocols have been widely adopted in recent years, raising the security bar against impostors and restricting unauthorized accesses. MFA enhances security by incorporating multiple authentication factors, such as knowledge-based (e.g., passwords), possession-based (e.g., tokens), and inherent-based factors (e.g., biometrics), among others. However, while MFA is generally considered more secure than SFA, it is not foolproof. Because, critical vulnerabilities may still arise due to design or implementation flaws in MFA protocols. These vulnerabilities are often overlooked by designers or users and remain undetected until exploited by attackers, potentially resulting in catastrophic consequences. Unfortunately, existing works failed to adequately analyze and identify most of such critical security flaws in MFA protocols. In this work, we systematically analyze the intricate design and construction of MFA protocols to uncover potential design-level security flaws. To this end, we first define eight security evaluation criteria that are essential to critically evaluate and identify design-level security flaws of MFA protocols. These criteria are primarily derived from existing and newly introduced MFA security requirements. We then review a range of MFA protocols across various domains, including client-server systems, cloud computing, finance, healthcare, internet of things (IoT), wireless sensor networks (WSN), smart cities, and other industrial applications. Using our established evaluation criteria, we perform a systematic security analysis and evaluation of these protocols, particularly focusing on their design and construction. Ultimately, our investigation uncovers several security flaws in most of the MFA protocols evaluated. Due to space limitations, we select ten of the vulnerable MFA protocols for deeper security analysis and provide a detailed discussion of the respective flaws identified. Additionally, we devise relevant mitigation strategies to address each of the security flaws identified. Furthermore, we consolidate the runtime performance information of these MFA protocols, as it is directly related to their design, highlighting the trade-off between security and efficiency. our findings provide valuable insights to cybersecurity researchers and practitioners, helping them address a wide range of security flaws in the design of MFA protocols. Moreover, this investigation underscores the need for improved design and implementation practices to ensure that MFA protocols remain effective to enhance system security.