Passwords are no longer enough - and now, even multi-factor authentication (MFA) is being bypassed. Attackers can intercept SMS codes, steal tokens from authenticator apps, and capture session cookies to slip past MFA protections unnoticed. What was once seen as a strong defence is now actively targeted by advanced phishing campaigns.
A new generation of phishing kits uses “adversary-in-the-middle” (AiTM) techniques, proxying the entire login flow. Victims believe they are signing in securely, but the attacker is silently relaying their credentials and MFA codes to the real service, hijacking the authenticated session in real time.
As Rafik Kattoum, Infrastructure Manager at Penta, cautions, “The industry cannot afford to treat MFA as a final layer of protection. It is vital to plan for what happens when that layer is breached.”
What to Do Next: Strengthening MFA in the Age of Phishing
Even though attackers are finding new ways to bypass MFA, there are practical steps organisations can take to stay resilient:
- Adopt phishing-resistant MFA. Use hardware security keys (FIDO2, WebAuthn, or smartcards) or built-in device authenticators instead of SMS codes.
- Limit session lifetimes. Shorten token validity and require re-authentication for high-risk actions.
- Monitor for session hijacking. Use behavioral analytics and anomaly detection to spot impossible logins or suspicious session reuse.
- Harden mobile devices. Educate users about SIM-swapping risks, enforce mobile OS updates, and encourage the use of authenticator apps instead of SMS where hardware keys aren’t available.
- Train and test regularly. Run phishing simulations and security awareness programs to keep employees alert to real-world tactics.
- Adopt zero trust principles. Assume compromise is possible and enforce continuous verification, least-privilege access, and strong network segmentation.
By recognising that passwords and basic MFA alone are no longer enough, organisations can build layered defences that anticipate attacker innovation – and stay one step ahead.
Phishing is no longer just about tricking users into giving up a password – it is now about undermining the very safeguards designed to replace passwords. Organisations that rely solely on MFA as a security panacea risk being caught off guard. Instead, a holistic strategy that combines phishing-resistant technologies, adaptive monitoring, and rehearsed response plans will be essential to withstand the next generation of attacks.