The Evolution of MFA: Why Traditional Authentication is Failing  

Having worked in a SOC for the last four years, I’ve seen firsthand the tactics Threat Actors use to bypass security measures. MFA was once considered the ultimate safeguard, but attackers have adapted, and traditional MFA alone is no longer sufficient. Unfortunately, if you think an extra authentication step will keep your business safe, think again. Attackers are finding ways to harvest credentials and bypass MFA protections daily, and if your organisation isn’t deploying phishing-resistant MFA, or another form of check during sign-in, you’re at risk. 

Why has this MFA evolution happened?  

Cyber security is an infinite game – an arms race. Every time we create stronger authentication methods attackers develop new ways to undermine them. Traditional MFA, which relies on SMS-based codes or app-generated tokens, was effective when attackers primarily targeted passwords. However modern adversaries now leverage advanced phishing techniques, automation, and AI-driven social engineering to manipulate users. 

In the below, I’ll break down how MFA credential theft can happen, the dangers it presents, and, most importantly, how to protect against it with phishing-resistant MFA solutions. 

MFA Credential Stealing: How Attackers Bypass Authentication 

What is MFA Credential Stealing? 

MFA credential stealing involves an attacker finding a way to steal a session token that is accepted during the MFA check against a sign-in. Once this token has been stolen, it is then replayed and used to complete the MFA check. While MFA was once seen as a gold standard for protection, attackers have developed techniques to bypass it, exploiting human error, weak configurations, and vulnerabilities in authentication flows. 

How Does It Work? 

Hackers use several methods to steal MFA credentials, including: 

• Man-in-the-Middle (MitM) Attacks – Adversary-in-the-middle (AiTM) phishing proxies steal authentication tokens by sitting between the user and the legitimate login page. An example of this might be:  
  • Attackers deploy a phishing site that looks identical to Microsoft 365, tricking users into entering credentials, which are then forwarded to the real site while capturing session tokens. This method of stealing MFA tokens is becoming a regular occurrence, leaning on common tools developed by offensive security practitioners. 
• SIM Swapping – Attackers clone a victim’s phone number to intercept SMS-based MFA codes. 
• MFA Fatigue Attacks – Cybercriminals bombard users with repeated push notifications until they mistakenly approve access. 
• Session Hijacking – Attackers steal active session cookies to bypass MFA entirely. 
  • Example: Malicious JavaScript injects and extracts authentication cookies, allowing persistence. 

The Dangers of MFA Credential Theft 

Once an attacker successfully bypasses MFA, they gain access to sensitive systems, allowing them to: 

• Sign in to accounts and steal valuable business data. 
• Move laterally within an organisation to escalate privileges. 
• Exploit weak authentication policies to evade detection. 
• Circumvent geolocation or device-based security controls. 

Organisations relying on traditional MFA (e.g., SMS codes or one-time passwords) must recognise these risks and take action to adopt more resilient authentication methods. 

Phishing-Resistant MFA: The Solution 

To combat sophisticated MFA bypass techniques, organisations can force policies that deploy phishing-resistant MFA solutions. These methods are designed to prevent attacks by removing the reliance on easily compromised authentication factors. 

Hardware Security Keys (FIDO2/WebAuthn) 

• Physical USB, NFC, or biometric-based keys that require direct possession. 
• Un-phishable authentication since credentials never leave the device. 
• Compatible with major identity platforms like Microsoft Entra ID and Google Workspace. 

Passkeys (Passwordless Authentication) 

• Uses device-native biometrics like Face ID or Windows Hello. 
• No passwords or SMS codes that can be phished or stolen. 
• Enhanced user experience with faster and more secure logins. 

Certificate-Based Authentication (CBA) 

• Cryptographic certificates replace passwords for stronger identity verification. 
• Ensures only trusted, enrolled devices can authenticate. 
• Commonly used in zero-trust environments.  

More Advanced Options 

• Mutual TLS Authentication (mTLS) – Requires both the client and server to authenticate each other via certificates. 
• Time-Based One-Time Password (TOTP) with Device Binding – Ensuring OTPs can only be generated on pre-registered devices. 
• Behavioral Biometrics – Monitors how users type, move their mouse, and interact with systems. 

Enhancing MFA with Additional Security Layers 

1. Implementing Three-Factor Authentication (3FA) 
   • Combines three factors: 
   • Something you know (password or PIN) 
   • Something you have (security key) 
   • Something you are (biometrics like fingerprints or facial recognition) 
2. Implementing Conditional Access Policies 
   • Geofencing – Restrict authentication attempts to specific locations. 
   • Device Trust – Only allow access from corporate-managed devices. 
   • Risk-Based Authentication – Block access from unusual or high-risk login attempts. 
3. Real-Time Monitoring & Response 
   • For those that want to prioritise security, a Security Operations Centre (SOC) like the one we run at Stripe OLT, will detect and respond to unusual authentication behaviour in real-time. Including the ability to detect suspicious token use, or malformed browsers that can indicate an attempt to bypass security policies.

The Future of Phishing-Resistant Authentication 

As cyber threats continue to evolve, authentication strategies will need to as well. In my opinion, future advancements include: 

• Decentralized Identity Solutions – Using blockchain-based identity verification to eliminate passwords entirely. 
• AI-Driven Behavioural Authentication – Analysing user behaviour patterns instead of static credentials for authentication. 
• Quantum-Safe Authentication – Future-proofing authentication against quantum computing threats. 

The main takeaway? 

MFA credential stealing is a growing threat – we’re all talking about it. Leaders need to realise that traditional MFA methods are no longer sufficient to stop determined attackers. Organisations must adopt phishing-resistant MFA solutions such as hardware keys, passkeys, and certificate-based authentication. By combining these technologies with additional security layers like 3FA, conditional access policies, and real-time SOC monitoring, businesses can significantly reduce the risk of credential theft and unauthorised access. 

For businesses looking to bolster their security posture, or those looking for expert guidance? Our Security Operations Centre (SOC) team is here to help. 

---