MFA significantly improves security but isn't perfect. Attackers bypass it through MFA fatigue (push bombing), token theft, SIM swapping, real-time phishing, and social engineering. Stronger MFA methods and additional controls close these gaps.
Quick answer: MFA significantly improves security but isn't perfect. Attackers bypass it through MFA fatigue (push bombing), token theft, SIM swapping, real-time phishing, and social engineering. Stronger MFA methods and additional controls close these gaps.
MFA Bypass Techniques
1. MFA Fatigue / Push Bombing
How it works: Attacker has stolen credentials. They trigger MFA prompts repeatedly—dozens of times—until the victim approves one just to make it stop. Often done at night when the victim is tired or not paying attention.
Real example: The 2022 Uber breach used MFA fatigue. Attacker bombarded employee with push notifications, then contacted them via WhatsApp posing as IT support saying "approve the prompt to stop the alerts."
Prevention:
- Number matching (user must enter a code shown on screen)
- Require additional context (location, app name)
- Rate limiting on authentication attempts
- Educate users to never approve unexpected prompts
- Phishing-resistant MFA (FIDO2/passkeys)
2. Adversary-in-the-Middle (AiTM) Phishing
How it works: Attacker creates a phishing site that proxies the real login page in real-time. Victim enters credentials AND MFA code. Attacker captures both and uses them instantly—before the code expires.
The attack:
- Victim clicks phishing link
- Sees real Microsoft/Google login (proxied)
- Enters password, then MFA code
- Attacker captures session token
- Attacker uses token immediately
- Phishing-resistant MFA (FIDO2 keys, passkeys)
- Conditional Access blocking unknown devices
- Token protection policies
- Advanced email security catching phishing
- User training on URL verification
3. Token/Session Theft
How it works: Instead of bypassing MFA, attackers steal the authenticated session token after MFA succeeds. Token is valid until it expires—often hours or days.
Methods:
- Malware stealing tokens from browser
- Infostealer malware
- Token extraction from compromised devices
- Continuous access evaluation (revoke sessions quickly)
- Token binding (tie token to specific device)
- Short token lifetimes
- Device compliance requirements
- EDR detecting token theft malware
4. SIM Swapping
How it works: Attacker convinces mobile carrier to transfer victim's phone number to attacker's SIM. SMS MFA codes now go to attacker.
Prevention:
- Don't use SMS for MFA (use authenticator apps or hardware keys)
- PIN protection on mobile account
- Use MFA methods that don't rely on phone numbers
5. Social Engineering
How it works: Attacker calls victim posing as IT support. "We're having authentication issues. I need to verify your identity—can you read me the code that appears on your phone?"
Prevention:
- User education: IT will never ask for MFA codes
- Out-of-band verification
- Clear escalation procedures
- Culture of healthy scepticism
6. Help Desk Compromise
How it works: Attacker calls help desk posing as employee who "lost their phone" and needs MFA reset. Weak verification = attacker gets access.
Prevention:
- Strong identity verification for MFA resets
- Callback procedures
- Out-of-band verification
- Manager approval for sensitive account changes
Stronger MFA Methods
Not all MFA is equal:
| Method | Phishing Resistant | Fatigue Resistant | Theft Resistant |
|---|---|---|---|
| SMS | ❌ | ✓ | ❌ |
| Authenticator app (push) | ❌ | ❌ | ✓ |
| Authenticator with number match | ❌ | ✓ | ✓ |
| FIDO2 security key | ✓ | ✓ | ✓ |
| Passkeys | ✓ | ✓ | ✓ |
| Windows Hello for Business | ✓ | ✓ | ✓ |
What We Implement
We configure MFA properly, not just "enabled":
- Number matching enforced
- Push notifications with context
- Phishing-resistant methods for admins
- Conditional Access complementing MFA
- Monitoring for suspicious authentication patterns
- User training on MFA attacks
---
about modern authentication security.
---