Why Your MFA Isn’t Bulletproof Anymore (and How to Fix It in 2025)

The MFA Myth

For years, multi-factor authentication has been the go-to advice from every cybersecurity expert. A password? Easy to steal. But a password plus a second factor—like a code from your phone—was supposed to stop attackers cold.

And for a while, it did.

But 2025 is different. Cybercriminals have adapted. They’re bypassing MFA every day, using techniques that most people—and many IT teams—aren’t even aware of.

MFA isn’t dead. But your current setup might be wide open.

4 Common MFA Bypass Tactics (and How They Work)

1. MFA Fatigue Attacks

Attackers repeatedly send MFA push requests to a user’s phone or app until the victim approves one out of frustration or confusion.

• Example: In the 2022 Uber breach, the attacker spammed an employee with MFA prompts until they clicked "approve."

• Why it works: Human psychology. People want the notifications to stop.

2. Real-Time Phishing Proxies

A fake login page captures both your password and your MFA code, then passes them to the real site instantly.

• Example: Attackers use kits like Evilginx or Modlishka to run these attacks at scale.

• Why it works: The MFA code is valid for about 30 seconds—plenty of time for the attacker to log in before you realize.

3. Session Token Hijacking

Once you log in, your browser stores a session token so you don’t have to re-enter your MFA code. If an attacker steals that token, they bypass MFA entirely until it expires.

• Example: Token theft malware in 2024 targeted Google and Microsoft 365 users to gain persistent access.

• Why it works: MFA is only checked at login, not during the session.

4. SIM-Swapping 2.0

Attackers trick your mobile provider into transferring your number to their SIM card—or they compromise telecom systems directly. Once they control your number, they intercept SMS-based MFA codes.

• Why it works: Telecom systems have weak internal verification.

Why This Is Happening Now

• AI-generated phishing emails and fake login pages are harder to spot.

• Longer-lived sessions in cloud apps make token theft more valuable.

• Remote work and BYOD have expanded the attack surface.

• Attack toolkits are now plug-and-play—any criminal can use them without deep technical skill.

Case Study: The “Approve” That Cost $25 Million

In 2023, a US-based finance firm lost $25M after an employee approved an MFA prompt they thought was legitimate. The attacker:

1. Phished the employee’s credentials.

2. Sent multiple MFA push requests over two hours.

3. Gained access to internal systems after just one mistaken approval.

This wasn’t a flaw in MFA itself—it was a failure in configuration and training.

Mike’s 7 Rules for Stronger MFA in 2025

1. Use Hardware Keys (FIDO2/WebAuthn)
   YubiKey, Google Titan, or Feitian keys are immune to phishing proxies.

2. Enable Number Matching
   Apps like Microsoft Authenticator now require you to enter a number from the login screen—stopping push spam.

3. Shorten Session Lifetimes
   Set sessions to expire every 8–12 hours, not 30 days.

4. Limit Push Attempts
   Lock the account after 2–3 denied push requests.

5. Ban SMS for Admin Accounts
   Use app-based or hardware-based MFA only.

6. Audit Devices Monthly
   Remove old devices from MFA enrollment lists.

7. Train for MFA Fatigue
   Teach employees: If you didn’t log in, don’t approve anything—ever.

Quick Implementation Checklist

☐ Switch to hardware keys (YubiKey, Titan)

• Widely recognized as phishing‑resistant and recommended for strong authentication.

• Supported by general MFA best practices (though a recent vulnerability via QR fallback was noted).

☐ Enable number matching (e.g., Microsoft Authenticator)

• Proven to block MFA fatigue attacks by requiring user interaction with the login screen.

☐ Reduce session lifetime (e.g., set shorter token expiry)

• Helps prevent session hijacking via stolen tokens. General security best practice, supported conceptually by MFA bypass discussions.

☐ Limit push attempts (e.g., lock after 3 failed pushes)

• No direct source found for these specific numbers, but multiple sources recommend reducing MFA fatigue by limiting push notification opportunities and training users.

☐ Remove SMS for admins (favor app/hardware MFA)

• SMS-based MFA is known to be weak and vulnerable (e.g., to SIM swapping). Best practice generally recognized in security community.

☐ Review enrolled devices monthly

• This is an account hygiene recommendation—though not explicitly cited, regular auditing of authentication devices is standard security practice.

☐ Run MFA fatigue training quarterly

• Training users to recognize MFA fatigue is widely recommended.
  
  

Bottom Line

MFA is still one of the best defenses against account compromise. But like every security measure, it only works if it evolves with the threat landscape.

In 2025, “set it and forget it” is a recipe for compromise. Make MFA a living, breathing part of your security plan.

📩 Want Mike to review your MFA setup?

Contact Mike for an MFA audit