Multi-factor authentication has become the default recommendation for securing online accounts, and rightly so. Adding a second verification step beyond passwords blocks the vast majority of credential-based attacks. However, a growing number of organisations treat MFA as the complete answer to authentication security, and that assumption is leading them into trouble.
Attackers have developed reliable techniques for bypassing common MFA implementations. Adversary-in-the-middle attacks use phishing sites that proxy authentication in real time, capturing both the password and the MFA token as the victim enters them. The attacker then uses these captured credentials to establish a legitimate session before the token expires.
MFA fatigue attacks take a different approach entirely. After obtaining stolen credentials, attackers bombard the target with push notification requests. Exhausted or confused users eventually approve a request just to stop the alerts. This technique requires no technical sophistication, only persistence and a set of compromised credentials.
SIM swapping attacks target SMS-based MFA by convincing mobile carriers to transfer a victim’s phone number to an attacker-controlled SIM card. Once the transfer completes, the attacker receives all SMS messages, including one-time authentication codes. This method has proven effective against high-value targets including corporate executives and cryptocurrency holders.
Not all MFA methods offer equal protection. SMS codes provide the weakest level of security due to SIM swapping vulnerabilities and the lack of encryption in mobile messaging protocols. Time-based one-time password apps offer better protection. Hardware security keys, particularly those supporting FIDO2 standards, provide the strongest resistance against phishing and interception attacks.
Expert Commentary
William Fieldhouse | Director of Aardwolf Security Ltd
“MFA significantly raises the bar for attackers, and every organisation should deploy it. But treating it as a silver bullet creates dangerous complacency. Adversary-in-the-middle attacks, MFA fatigue bombing, and SIM swapping all bypass common MFA implementations. Security requires depth, not a single control that attackers are already learning to circumvent.”
Organisations should layer additional controls alongside MFA rather than relying on it exclusively. Conditional access policies that evaluate device health, location, user behaviour, and risk scores before granting access add context that MFA alone cannot provide. A login from a recognised device during normal hours requires less scrutiny than an attempt from an unknown device in an unusual location.
Session management deserves equal attention. Even after successful MFA, session tokens can be stolen through cross-site scripting, malware, or compromised endpoints. Short session lifetimes, secure token handling, and continuous session validation reduce the window during which stolen tokens remain useful. Regular web application penetration testing identifies session management weaknesses that attackers could exploit after bypassing MFA.
Privileged accounts require stronger controls than standard MFA provides. Administrative access should combine hardware tokens with just-in-time provisioning, session recording, and anomaly detection. The consequences of a compromised admin account far exceed those of a standard user compromise, and the authentication requirements should reflect that.
Thorough internal network penetration testing reveals how far an attacker can progress after bypassing authentication controls entirely. Understanding what happens when authentication fails helps organisations build defence-in-depth strategies that contain breaches even when front-door controls do not hold.
MFA remains essential, and every organisation should deploy it across all accounts. But treating it as the final word on authentication security ignores how attackers actually operate. Layer your defences, assume any single control can fail, and build resilience into every part of your security architecture.
