Passwords are dead, but their successors are not equally secure. This guide breaks down MFA technology strengths, attacker bypass techniques, and how enterprises can choose the right authentication strategy to defend against modern threats.
Microsoft telemetry shows that accounts with MFA enabled are 99.9% less likely to be compromised than those without. That number makes MFA look like a silver bullet — but attackers have long developed multiple techniques to bypass MFA, creating a critical gap between "has MFA" and "MFA actually works."
The core logic of authentication is combining at least two of three factors: something you know (password), something you have (phone/hardware key), and something you are (biometrics). But various implementations differ wildly in security strength — choosing the wrong MFA method may give your enterprise a false sense of security.
Understanding attack methods is the first step to choosing the right defensive tools:
Attackers set up a proxy phishing site that relays credentials and OTP codes to the real site in real time, stealing the authenticated session cookie. SMS OTP and TOTP apps cannot defend against this technique. Microsoft and Google accounts have been targeted at scale using this method.
After obtaining a password, attackers repeatedly trigger push authentication notifications until the target approves out of frustration or confusion. The Uber breach in 2022 was executed via this technique. Enabling Number Match significantly reduces this risk.
Attackers use social engineering to convince a carrier to transfer the victim's phone number to an attacker-controlled SIM card, allowing them to receive all SMS OTPs. This is the fundamental weakness of SMS-based MFA, with documented cases in Taiwan as well.
Attackers impersonate IT support staff, tricking targets into completing "account verification" via phone or email, triggering an MFA reset and account takeover. Both Twilio and Cloudflare faced this attack in 2022 — Cloudflare successfully defended because they had deployed hardware security keys.
The FIDO2 (Fast Identity Online 2.0) standard combined with the WebAuthn protocol provides the strongest phishing-resistant authentication available today. Its core principle is "domain binding" — the authentication process uses a cryptographic signature from the device that includes the legitimate domain. Even if an attacker creates a visually identical phishing site, authentication cannot be completed on the wrong domain.
Stored in the device's secure chip (iPhone Face ID, Android fingerprint, Windows Hello) — free, convenient, and the future mainstream option.
Physical USB/NFC devices like YubiKey — highest security, ideal for privileged accounts and high-risk scenarios.
Use your phone to scan a QR code to confirm a desktop login — balances security and convenience without needing extra hardware.
After Google required all employees to use hardware security keys in 2017, account takeover incidents dropped to zero. Even when employees were tricked by phishing emails and entered their passwords on malicious sites, the hardware key's domain binding mechanism prevented any unauthorized logins.
Not all accounts need the same level of protection. A risk-based tiered strategy is the pragmatic approach:
Contact Hexion Networks to assess your organization's identity security posture and plan the right MFA upgrade path.