Executive summary
Multi-factor authentication was supposed to stop credential-based attacks. For years, it mostly did. But attackers have adapted, and MFA bypass is now industrialised — with phishing kits, fatigue attacks, and token theft available as services.
The result: organisations with MFA enabled are still being breached. The issue isn't that MFA failed — it's that the wrong type of MFA, deployed without supporting controls, creates false confidence while leaving real gaps.
How attackers bypass MFA
MFA fatigue / push bombing
How it works: Attackers obtain valid credentials (via phishing, breach databases, or purchase) and repeatedly attempt login, flooding the user's phone with push notification approval requests.
Why it succeeds: Users get fatigued by constant notifications. Some approve just to make them stop. Others are tricked by attackers posing as IT support, telling them to accept to "fix the issue."
Impact: This technique was used in high-profile breaches at Uber, Cisco, and Microsoft. It requires no technical sophistication — just persistence and social engineering.
Adversary-in-the-middle (AiTM) phishing
How it works: Attackers set up proxy servers that sit between users and legitimate login pages. When users authenticate — including completing MFA — the attacker captures the session token in real time.
Why it succeeds: The phishing page looks identical to the real one. MFA is completed successfully, but the attacker intercepts the authenticated session. User sees nothing unusual.
Impact: Tools like Evilginx and Tycoon 2FA have made this attack accessible as a service. Traditional MFA offers no protection against AiTM — the token is captured after successful authentication.
SIM swapping
How it works: Attackers socially engineer mobile carriers to transfer a victim's phone number to a SIM card they control. SMS-based MFA codes then go to the attacker.
Why it succeeds: Carrier staff can be bribed or tricked. Automated systems can be exploited. eSIM provisioning has made attacks faster — from hours to minutes.
Impact: Particularly damaging for high-value targets. Often combined with other techniques for account takeover in financial services and crypto.
Session token theft
How it works: Malware or browser-based attacks steal authenticated session cookies. The attacker doesn't need credentials or MFA — they replay the already-authenticated session.
Why it succeeds: Sessions often persist for hours or days. Token rotation is rare. Once stolen, tokens work from any device until they expire.
Impact: Increasingly common vector. Infostealers like RedLine harvest tokens at scale. Business email compromise often uses stolen session tokens.
Why traditional MFA isn't enough
The problem isn't MFA as a concept — it's the implementation:
Push notifications are phishable
Simple approve/deny prompts can be spammed or socially engineered. The user sees no context about what they're approving.
SMS is fundamentally insecure
SMS was never designed for security. SIM swaps, SS7 attacks, and carrier vulnerabilities make it the weakest MFA factor.
TOTP codes can be phished
Time-based codes entered on phishing pages are captured in real time. The attacker uses them before they expire.
Session management is weak
MFA protects the login moment but not the session. Long-lived tokens and missing re-authentication create windows.
No context awareness
Traditional MFA doesn't consider device, location, or behaviour. A login from an impossible location gets the same treatment.
Legacy protocol exceptions
Legacy email protocols, app-specific passwords, and service accounts often bypass MFA entirely. Attackers know these gaps.
What "phishing-resistant" actually means
Regulators and security frameworks increasingly require "phishing-resistant MFA." But what does this actually mean?
Cryptographic binding to origin: The authentication is cryptographically tied to the legitimate site. Phishing pages can't trigger or intercept it because they're not the real domain.
No shared secrets to steal: There's no code or password that can be phished, intercepted, or replayed. Authentication happens via public key cryptography.
Device attestation: The authenticator proves it's a specific, trusted device — not just that someone has the right code at the right time.
In practice, phishing-resistant means FIDO2/WebAuthn — hardware security keys (like YubiKeys) or platform authenticators (like Windows Hello or Apple Face ID). These methods are immune to AiTM attacks because authentication is bound to the legitimate domain.
What effective authentication looks like
Organisations with mature authentication posture combine multiple controls:
FIDO2 for high-risk access
Phishing-resistant authentication for privileged users, sensitive systems, and admin access. Hardware keys for highest-risk accounts.
Number matching for push
If using push notifications, require users to enter a displayed number — not just tap approve. Defeats blind approval.
Conditional access policies
Vary MFA requirements based on risk signals — location, device health, user behaviour, sensitivity of resource being accessed.
Session management
Short session lifetimes, continuous access evaluation, and step-up authentication for sensitive actions during sessions.
Legacy protocol blocking
Disable IMAP, POP, SMTP AUTH, and other protocols that bypass modern authentication. No exceptions without compensating controls.
Anomaly detection
Monitor for impossible travel, MFA prompt flooding, and authentication anomalies. Alert and block on suspicious patterns.
How Solluna Caelum approaches this
We help organisations move beyond checkbox MFA to authentication that actually resists modern attacks:
1. Current-state assessment: Map existing authentication methods, policies, and exceptions across the environment. Identify gaps and legacy exposure.
2. Risk-based design: Define authentication requirements by user population, system sensitivity, and access scenario. Not everything needs FIDO2, but some things absolutely do.
3. Conditional access architecture: Design policies that adapt authentication requirements to risk context — device trust, location, behaviour, and resource sensitivity.
4. Migration planning: Build a realistic path from current state to phishing-resistant authentication. Address user experience, rollout logistics, and exception handling.
5. Detection and response: Implement monitoring for MFA bypass attempts and authentication anomalies. Ensure SOC visibility into identity-based attacks.
Worried your MFA isn't as strong as you thought?
If push bombing, AiTM attacks, or authentication gaps concern you — let's assess your exposure and build a path to phishing-resistant authentication.
Related taxonomy: MFA Bypass · Phishing-Resistant Authentication · FIDO2/WebAuthn · Conditional Access · Session Management · Push Bombing