Within the barrage of headlines, stories, and lived experiences regarding identity theft and cyberattacks, there are often key themes worth exploring. For instance, the recent admission by the CEO of UnitedHealth Group, as reported in a CBS News story, that the recent cyberattack against the massive insurer can be blamed on that fact that the entry point “…server did not have MFA (multi-factor authentication) on it1.”
Other instances where the attacks against MGM and Caesars Entertainment, Inc., which were perpetrated in part because the threat actors “overwhelm targets using multi-factor authentication notification fatigue tactics2.” Consider this headline3 generated from the State of Authentication in the Finance Industry4 report (2022): “Authentication weakness responsible for 80% of financial breaches.”
These examples all indicate that MFA is an important tool for maintaining cyber security and organizational resilience, making it worth a deeper examination.
MFA is a security system connected to specific and oftentimes individual user accounts that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login transaction completion. The main principle behind MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target device, account, or organizational network.
MFA works by requiring two or more of the following authentication methods:
Something You Know (password, a personal identification number (PIN), or answers to personal questions)
For authentication to succeed, all submissions must be correct. This security process is favored over standard username + password authentication, as the limited strength of this legacy process is easily bypassed. The added layers provided by MFA offer more robust security.
The relative ease of deploying MFA makes it a recommended component of any user account, particularly for email tenants or cloud-based applications. The only requirements are SMS text-based systems and an authenticator application, with minimal hardware and software changes.
However, more complex MFA solutions, such as biometric systems or smart card-based systems for physical access to a space, can require considerable hardware and software changes, including biometric scanners or card readers and the necessary software to authenticate the results. If what is behind the door or what can be accessed through an application is worth safeguarding, MFA is worth installing.
MFA provides a significant level of security by adding checkpoints that are difficult for unauthorized individuals to detour. Even if a threat actor can crack one authentication factor, it is unlikely they can bypass the second or third. This defensive resource is particularly effective against common attacks like phishing, where an attacker might obtain a user’s password but can’t readily replicate a fingerprint or get the OTP from the user’s phone. Without question, MFA is useful and essential for robust and resilient security.
However, it’s important to note that while MFA significantly increases security, it’s not infallible. For example, if a user loses a device that generates OTPs or drops the card, an attacker could gain access to it. Furthermore, biometric systems can sometimes be fooled by high-quality forgeries. MFA systems must be implemented and managed correctly to maintain their security.
For instance, if a system allows certain users to bypass MFA or if administrators do not regularly review and update security settings, the effectiveness of MFA can be undermined. Notwithstanding these potential vulnerabilities, MFA remains one of the most effective methods for securing user identities and protecting resources from unauthorized access.
Despite a widely circulated statistic that 99.9% of user account compromise attacks can be prevented with MFA (Microsoft5, CISA6) the reality of the threat landscape indicates it is not so simple or impenetrable. While this important tool should be an aspect of any security stack for both businesses and individuals, there are numerous challenges associated with MFA that threat actors leverage to bypass its safeguards.
In order to repel threat actors, it is first essential to learn how they operate and what you can do to better protect your accounts.
One component of MFA weakness fits within the realm of ‘human error’ and is termed MFA fatigue7. While secure, MFA may not always be user-friendly. For many individuals, it is inconvenient to go through multiple stages of authentication, especially if the process is time-consuming, complex, or exhaustively persistent. This might lead to frustration and can be particularly challenging when dealing with less tech-savvy users. Unfortunately, frustration often leads to less-than-ideal security-related practices, increasing the likelihood of a calamitous error.
Another potential for exploitation is through SIM Swapping. For instance, SMS-based MFA can be vulnerable to SIM swapping attacks. In this scenario, an attacker tricks a mobile network provider into transferring the victim’s phone number to a new SIM card, which the attacker controls.
Another tactic increasing in usage among threat groups is the theft of session cookies8, which are digital tokens that store data temporarily within a transaction until the web browser session is closed. This process9,which shares similarities with phishing and business email compromise (BEC) attack kits, requires threat actors to establish a fake landing and login page mimicking the real thing, tricking users into providing OTPs. Throughout this process, the malicious actors can enter login, password, and OTP information into the legitimate sites in real-time. The “kits” are essentially build-your-own development guides and pre-written codes so anyone willing to pay for the information can perform such attacks.
Additional reports indicate threat actors are sometimes able to deactivate the need for MFA by accessing administrative accounts, most likely via phishing or social engineering attacks. The point here is that threat actors have and continue to develop numerous techniques to bypass MFA, which can be expected to continue with increased, wider adoption of the technology.
According to Proofpoint’s 2024 State of the Phish Report, “over one million attacks are launched with the MFA-bypass framework EvilProxy every month” indicating there is a profound need for an effective defense against these threats10. As a further sign that MFA is a strong component of a resilient security stack, Microsoft is requiring the process for select tenants11.
To better ensure MFA works as it should and bypass attacks are limited, organizations must incorporate user training and awareness into onboarding and ongoing development. For MFA to be effective, users need to understand why it is necessary and how to use it. This can require substantial training and awareness-building, which could be challenging and time-consuming but ultimately prevents an organization from being victimized.
No single tool or software is a panacea for all cyberattacks; however, MFA, when properly deployed and configured and paired with discerning, well-trained individuals, can go a long way in safeguarding accounts connected to critical, sensitive information.
If you’re interested in our services, fill out this form to get in touch with our team: Contact Our Team
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2025 SpearTip, LLC. All rights reserved.