The MFA mirage: Why attackers are bypassing passwords and targeting your people

Multifactor authentication once stood as a trusted defense in cybersecurity circles. A password combined with a verification code or push notification was assumed sufficient to deter unauthorized access. Adoption surged: Okta’s most recent Businesses at Work report shows that over 90% of enterprise users now use some form of MFA. Yet in 2025, determined criminals are finding ways around authentication without even needing to breach it.

[Editor's Note: This is the second of a three part series highlighting Identity and Credentials. Read Part One: Identity debt: What is it, how to spot it; Part Three: IAM Best Practices: Rebuilding IAM from the outside in]

“We keep investing in stronger front doors,” said Lawrence Abrams, editor-in-chief at BleepingComputer, during a recent SC Media webcast. “The problem is that attackers aren’t picking the lock anymore. They’re persuading someone to open it.”

How MFA fatigue lets attackers slip in

Modern threat actors rarely resort to brute-force login attempts or common password spraying. They exploit weaknesses in authentication workflows: session tokens lingering in browsers, service desk calls with minimal ID checks, or employees approving notifications out of habit or annoyance.

[Editor's Note: Watch the webcast: From fragmented to unified: Rethinking network security operations in the AI era]

Researchers at SoSafe define “MFA fatigue” as a tactic that overwhelms users with repeated approval requests until they relent. One of the most memorable incidents occurred at Uber in 2022, when the hacking group Lapsus$ bombarded an external contractor’s device with push notifications. Frustrated, the user accepted and unwittingly granted access. That breach led to control over Uber’s internal systems.

A more recent example surfaced in June 2025, when Scattered Spider used a similar approach in an attack on Hawaiian Airlines. Attackers flooded a staff member with MFA requests until one was accepted — breaking into internal systems without malware.

In both cases, none of the technical controls failed. Instead, attackers exploited normal user behavior and inattentiveness.

[Editor's Note: Watch the webcast Innovative IAM Strategies: New Tools and Guidance for Modern Identity Security]

Why MFA isn’t always enough

Attempts to strengthen authentication through biometrics are also being tested. A 2023 McAfee survey reported that 1 in 10 users had been targeted by AI voice cloning scams. One-third of businesses have investigated suspected voice-biometrics fraud.

In formally controlled environments such as call centers, deepfake audio models can fool voice-auth systems. A deepfake impersonation of Secretary of State Marco Rubio illustrated the risk: using only seconds of audio, attackers contacted senior officials by mimicking his voice.

Cybersecurity researchers from NetSPI confirmed in 2022 that they could bypass commercial voice-verification systems during a red-team engagement.

These findings make clear that even voice or facial biometrics cannot be treated as a failsafe solution.

The human perimeter remains porous

Attackers have shifted their focus from technology to the people who manage it. IT admins, help desk staff, even outsourced service providers have become prime targets.

[Editor's Note: Watch the webcast: Stolen credentials: The New Front Door to Your Network]

“Attackers are good at identifying who in your organization can say yes,” said Carlota Sage, founder of Pocket CISO. “The person who resets your 2FA because you lost your phone — that’s the threat vector.”

SC Media’s ongoing coverage of identity breaches shows a consistent pattern: help desk personnel and support teams are frequently targeted through phishing and impersonation attacks.

These attacks rely on social engineering or impersonation to bypass systems, not to break encryption or exploit bugs.

MFA must evolve with context and culture

Security leaders agree that MFA remains a vital control, but it no longer stands alone. Contextual defense is needed — behavioral monitoring, device fingerprinting, step-up authentication based on risk, and real-time alerts.

Adoption of phishing-resistant standards like FIDO2 and passkeys is rising. FIDO2 uses public-key cryptography, requiring a physical key or secure device that cannot easily be spoofed by phishing. A recent Google Security Blog noted that enterprises using passkeys report significantly fewer credential-based breaches.

Even the strongest tools fail without the right procedures and people behind them.

“You can’t fix this with technology alone,” said Adrian Sanabria, director of product marketing at Valence Security. “It comes down to training, process, and removing discretionary decision-making.”

That may mean closing help desk exception channels, centralizing IAM governance, and investing in identity threat detection and response (ITDR) systems that can distinguish legitimate human behavior from malicious activity.

The identity perimeter has changed

Multifactor authentication is not irrelevant, far from it. But it’s no longer an impenetrable shield. As attackers evolve, identity is now the perimeter, and staff are the most compromised assets.

To keep pace, CISOs must go beyond installing MFA. Every identity flow — from password resets to privileged access approvals must be hardened with checks, oversight, and detection.

“MFA remains one of the best controls we have,” said Dr. Dustin Sachs, chief technologist at CyberRisk Collaborative. “But until organizations rethink trust, context, identity ownership, it will stay vulnerable — because human beings are involved.”

-Edited by Tom Spring

(Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)