Multi-factor authentication is now part of the standard IT security repertoire. Relying solely on passwords is negligent. Yet the assumption that MFA is an impenetrable shield is dangerous. Over recent years, attackers have developed several reliable methods to bypass MFA — and are actively using them.
Five methods attackers use to defeat MFA
1. Adversary-in-the-Middle (AitM)
The most effective method against traditional MFA. Tools such as Evilginx act as a reverse proxy between the victim and the target service. The user enters their credentials and MFA code on a convincing phishing page. The proxy forwards everything to the legitimate service but intercepts the issued session token. The result: the attacker obtains an authenticated session — MFA completely bypassed.
Particularly concerning: the Tycoon 2FA platform offers this technique as Phishing-as-a-Service. According to Sekoia, millions of phishing messages targeting Microsoft 365 and Google Workspace have already been sent through it. The barrier to entry for attackers is dropping dramatically.
2. MFA Fatigue / Prompt Bombing
The attacker already knows the victim’s password (for example from a previous data breach) and repeatedly triggers push notifications on their smartphone — in the middle of the night, dozens of times in a row. Eventually, the frustrated user taps “Approve” just to stop the notifications. This is precisely how attackers gained access to Uber’s internal systems in September 2022.
3. SIM Swapping
SMS-based MFA is the weakest variant. In SIM swapping, the attacker convinces the mobile carrier — through social engineering or bribed employees — to transfer the phone number to a new SIM card. After that, all SMS codes are delivered to the attacker. According to the FBI, SIM swapping caused over USD 48 million in damages in the US alone in 2023.
4. Token theft after authentication
MFA protects the login process — not the session that follows. Infostealer malware such as RedLine or Raccoon extracts session cookies and tokens directly from the endpoint. The attacker imports these cookies into their own browser and takes over the authenticated session without ever needing a password or MFA code. Microsoft reports that token theft attacks have increased significantly and have become one of the greatest threats to identity systems.
5. Social engineering against help desks
Why attack the technology when you can attack the person? In September 2023, the Scattered Spider group called the IT support desk at MGM Resorts, impersonated an employee, and had MFA reset. Ten minutes on the phone were enough for initial access. The resulting ransomware attack cost MGM over USD 100 million.
The solution: FIDO2 and Passkeys
FIDO2 is the only MFA standard that is resistant to phishing and AitM attacks by design. The reason: the authenticator (hardware key or platform authenticator) cryptographically binds the login to the domain of the legitimate service. A phishing page on a different domain simply does not receive a valid signature — the attack fails at a technical level, regardless of user behaviour.
FIDO2 comes in two variants:
- Hardware Security Keys such as YubiKey or Google Titan: physical devices connected via USB, NFC, or Bluetooth. Ideal for privileged accounts and administrators.
- Platform Authenticators (Passkeys): integrated into the operating system — Windows Hello, Apple Face ID/Touch ID, Android Biometrics. No additional hardware required, making them suitable for mass adoption.
The FIDO Alliance and companies such as Microsoft, Google, and Apple have been actively driving Passkey adoption since 2023. CISA explicitly recommends FIDO2 as the preferred MFA method for critical infrastructure.
Pragmatic measures for organisations
An immediate, complete migration to FIDO2 is unrealistic for most organisations. The following steps reduce risk incrementally and noticeably:
- Prioritise FIDO2 for privileged accounts: Migrate administrators, finance managers, and C-level accounts to hardware security keys immediately.
- Enable number matching: Anyone still using push-based MFA (Microsoft Authenticator, Duo) must enforce number matching. Users must confirm a displayed number rather than blindly tapping “Approve”. This largely eliminates MFA fatigue attacks.
- Eliminate SMS-based MFA: Replace all SMS-based authentication with app-based TOTP or FIDO2.
- Implement Conditional Access policies: Permit logins only from managed devices, known locations, or compliant endpoints. Unknown devices require stronger authentication.
- Secure help desk processes: MFA resets only after verified identity (callback, manager confirmation, separate proof of identity). No resets by phone on request alone.
- Reduce token lifetimes: Limit session tokens to an appropriate duration and enable token binding where possible.
How Zerberos can help
We test the effectiveness of your MFA implementation under realistic conditions. Our penetration tests include targeted phishing simulations using AitM techniques, social engineering tests against your help desk, and an assessment of your authentication architecture. The result: clarity on where your MFA holds — and where it fails.
Contact: www.zerberos.com/kontakt
Sources
- CISA – Implementing Phishing-Resistant MFA: cisa.gov/MFA
- Microsoft Digital Defense Report 2024: microsoft.com
- FIDO Alliance – Passkeys: fidoalliance.org/passkeys
- Sekoia – Tycoon 2FA Phishing Kit Analysis: blog.sekoia.io
- FBI IC3 – 2023 Internet Crime Report: ic3.gov