MFA Bypass Techniques: Understanding the Attacks That Defeat Multi-Factor

MFA Is Not Bulletproof

Multi-factor authentication dramatically reduces account compromise, but it is not impenetrable. Sophisticated attackers have developed techniques to bypass MFA, and understanding these methods is essential for choosing the right MFA implementation and layering additional defenses.

Adversary-in-the-Middle Attacks

Phishing toolkits like Evilginx2 create convincing login pages that proxy the real authentication flow. When a user enters their credentials and MFA code, the proxy relays them to the real site in real time, captures the resulting session cookie, and gives it to the attacker. From the user's perspective, they logged in normally. From the attacker's perspective, they now have a valid session that bypasses MFA entirely.

MFA Fatigue and Push Bombing

When organizations use push notification MFA, attackers who have stolen credentials can repeatedly trigger authentication prompts on the user's phone. Eventually, the exhausted user approves a prompt just to make it stop - especially at 3 AM. Implement number matching (requiring the user to enter a number displayed on the login screen into their phone) and limit the number of MFA prompts per time period to defeat this technique.

Phishing-Resistant MFA

Hardware security keys using FIDO2/WebAuthn are resistant to adversary-in-the-middle attacks because the key verifies the domain of the site requesting authentication. A phishing proxy on a different domain cannot obtain a valid authentication response from the key. For the highest-value accounts (administrators, executives, finance), hardware security keys provide the strongest available protection against MFA bypass.