COMMENTARY: When multifactor authentication (MFA) became mainstream, the cybersecurity community embraced the technology as a silver bullet to a generations-old problem.It was supposed to solve our issues with credential-based attacks like password sprays and single factor credential compromise.But those hopes were short-lived. Threat actors adapted their tactics, and MFA lost its reputation as a panacea for protecting authentication.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Breached airlines, compromised software vendors, and the leakage of billions of accounts prove one uncomfortable fact: it's easier to log-in than hack-in. While better than no second factor at all, we no longer consider MFA an impenetrable wall.Here’s an overview of the latest attack vectors that successfully defeat MFA tools and examine how organizations can reduce exposure, strengthen resilience, and prevent a false sense of security from a now vulnerable solution from becoming a liability:If a browser auto-logs the user into sensitive applications and the session tokens aren't protected, the MFA was only useful at the first login and did not protect the user from subsequent sessions.MFA still offers one of the most effective defenses against account compromise, but it’s not invincible. If an organization treats MFA as foolproof, think of this as a wake-up call. Threat actors don’t need to hack in — they log in, often with a push notification or a stolen cookie.Morey Haber, chief security advisor, lead identity and technical evangelist, Beyond TrustSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
MFA fatigue attacks
Fatigue attacks based on human frailty have become one of the most popular and low-tech strategies for compromising MFA. This technique exploits human behavior, not a software-based vulnerability and exploit. Threat actors flood users with a series of push notifications until the user, annoyed or distracted, finally clicks “approve" to stop the flood of MFA authentication messages. The infamous Uber breach in 2022 represents a textbook example of this attack vector. The threat actor didn’t hack a system; they annoyed a contractor until they gave up and clicked "Yes." The same principle has been used against Microsoft, Cisco, and countless other organizations. If the company’s authentication relies on the user making the right decision every time, it only takes one mistake to allow for attackers to establish a beachhead.Real-Time MFA phishing
Social engineering and phishing are alive and well, and when used as an attack vector with MFA, quite successful as a penetration method. With Adversary-in-The-Middle (AiTM) toolkits such as Evilginx or Modlishka, attackers can set up a proxy between the user and the legitimate service. When users enter their credentials and MFA code on a watering hole website based on a phishing attack, the threat actor captures both in real time and immediately relays them to the real service compromising their authentication. And, if the attacker captures the session token, they don’t need a password or a second factor again to regain access. The threat actors have effectively hijacked the browser session until the session token expires.SMS and MFA SIM swapping
With a well-executed SIM swap attack, threat actors can clone a cell phone number or convince a carrier to port it to a new SIM. They then intercept codes, reset passwords, and compromise accounts. Despite its simplicity, this method remains disturbingly effective.Infostealers
The rise of Infostealing malware like Raccoon Stealer, RedLine, and Lumma has changed the threat landscape. These payloads, like malicious extensions or malware, actively steal:- One-time passcodes and autofilled passwords.
- Authenticator secrets and session cookies.
- MFA tokens stored in memory.
Social engineering
Threat actors have learned that the easiest way around MFA is to simply disable it or reset it to its initial state. To accomplish this they impersonate employees as if they are calling the help desk with believable stories. They request a device reset or new MFA enrollment-based stories of lost mobile phones, stolen devices, and even that their partner took my phone, by accident, to work with them. If the support desk doesn’t have strict re-verification procedures, attackers can even compromise a perfect MFA implementation.OAuth abuse
MFA doesn’t work if the user voluntarily hands over access. In OAuth-based attacks, malicious applications request permission to access a user’s data, like email or calendar, via legitimate authentication processes. The victim consents, unaware that they are granting persistent access, and the malicious application creates a lasting confused deputy problem. These tokens are refreshable, long-lived, and bypass reauthentication. Even phishing-resistant MFA can’t stop a user from granting access to a malicious app.Legacy authentication
Not all systems were built with MFA in mind. Many legacy email and VPN protocols (IMAP, SMTP, PPTP) do not support MFA at all without some form of technology wrapper. Threat actors know this and will target exposed services with compromised credentials using single-factor authentication attack vectors.Biometric spoofing
Biometrics were once seen as the perfect tool for delivering identity confidence. Everything from voice recognition through fingerprints were deemed uncrackable. They were seen as something you are, and security pros believed they were unstealable and unforgeable. Threat actors evolved, implemented artificial intelligence, and created methods to spoof fingerprints, clone voices, and create realistic facial impersonations to circumvent biometric MFA tools. While the cybersecurity community has real examples of these incidents, as of today, they are not yet widespread. The future potential threat is real especially in high-value targets or regions where nation-state threat actors are refining their methods.While MFA has proven an effective add-on to minimize compromised credential access, it’s not perfect. Teams should not abandon MFA, but rather harden their implementations against known attack vectors by taking the following actions:- Adopt phishing-resistant MFA using FIDO2/WebAuthn hardware tokens or passkeys.
- Enforce conditional access by block access from untrusted devices, geographies, and legacy protocols.
- Rotate and monitor session tokens regularly and check for anomalous session activity and force reauthentication when necessary.
- Train users regularly—not just once a year. People are the last line of defense and the easiest component to compromise in the attack chain.
- Enforce help desk workflows. Support staff should follow strict verification procedures that involve multiple factors and not rely solely on caller information.
- Block legacy auth and enforce protocols like OAuth2 or SAML. Never use single-factor authentication at the border alone.
- Implement an identity security product that has detection technology designed to look for MFA compromises, abuse, and inappropriate single factor authentication.





