False confidence: the real problem with MFA

Multi-factor authentication has become one of the cyber-security industry’s favourite success stories. It is widely deployed, frequently mentioned in board reports and often presented as proof that an organisation has done the right thing. However, according to LevelBlue’s Q1 TTP briefing, 84% of organisations had MFA in place last quarter, yet attackers still bypassed it in 95% of those cases. It seems that this confidence in MFA is quickly spilling into dangerous ground.

 

This is, by no means a sign that MFA is irrelevant. It is a sign that too many organisations have mistaken implementation for resilience. The uncomfortable truth is that many businesses often treat MFA as a finish line. However, MFA is only as strong as the way it is configured, enforced and maintained. In practice, many deployments still rely on methods that can be phished, intercepted or socially engineered around.

 

This “once it is switched on, the job is done” mindset is creating a false confidence, which attackers thrive on.

 

Attackers are still winning against MFA

The primary reason for MFA continuing to be bypassed is not because attackers have access to some unknown capability. It is because there are gaps between policy and reality, which are easily exploited. Adversary-in-the-middle attacks, session token interception and social engineering remain effective because many organisations still allow authentication flows that are too easy to manipulate.

 

Furthermore, that problem is compounded by the way modern phishing has evolved. AI has lowered the barrier to producing convincing lures. At the same time, trusted collaboration platforms have become a new delivery channel for impersonation attacks. LevelBlue observed threat actors using Microsoft Teams to pose as IT staff, often after gaining access through a compromised external account or a misconfigured guest setting. In those situations, with the message landing inside a trusted environment, the deception becomes far more effective.

 

The question, therefore, has moved beyond whether an organisation has MFA in place, onto whether the MFA itself can stand against evolving attack techniques. If the answer is no, then the MFA is simply providing reassurance rather than protection.

 

Some MFA methods are stronger than others

A common mistake in cyber-security is to regard MFA as though different forms of the tool offer the same value. This is not true. Traditional push notifications and one-time codes are better than passwords alone, but they are not the same as phishing-resistant MFA. Hardware keys and passkeys bind authentication to the legitimate service in a way that makes interception much harder.

 

Such a distinction matters, especially for privileged users and high-value systems. If an attacker can phish an employee, trick them into approving a prompt, or steal a session token after login, then the MFA has failed. Keeping that in mind, organisations need to start prioritising stronger methods of protection for the accounts that would cause the greatest damage, if compromised.

 

Governance is also a key consideration. MFA is often deployed unevenly across applications, with exceptions carved out for legacy systems, remote access tools or privileged workflows. Every exception is an opening. Every fallback path is a potential bypass point for an attacker.

 

What dwell time tells us

One of the most worrying findings in LevelBlue’s data is that 38% of cases involved a dwell time of more than 31 days before incident response teams were engaged. During this window, attackers are not sitting idle. They are mapping the environment, identifying where sensitive data lives and deciding how to turn access into profit.

 

They may also move laterally, create additional access routes or prepare exfiltration and extortion before anyone realises they are inside. By the time a response begins, the problem is often no longer the initial compromise. It is also the week’s worth of undetected activity that followed it.

 

That is why MFA should not be discussed in isolation. If identity protection is weak and if detection is slow, then even a partially effective MFA setup may simply delay the inevitable. Organisations, therefore, need to think in terms of broader attack containment rather than just login prevention.

 

What needs fixing

The solution to these challenges is operational discipline and not more security theatre. Organisations need to move high-risk users to phishing-resistant MFA, remove weak fallback methods wherever possible and review where authentication can still be bypassed through legacy processes or poorly governed exceptions.

 

Real-world behaviours of help desks and users should also be routinely tested. A security control that can be overridden by a convincing phone call or an urgent message from “IT” is not a strong enough defence. Scenario-based awareness training, access reviews and continuous testing are important because they reveal the places where systems and people are easiest to manipulate.

 

Just as importantly, organisations need better visibility into identity activity. Knowing who has access to what, where tokens are being reused and where abnormal sign-ins are occurring remains one of the most effective ways to catch problems early.

 

Getting the basics right

The industry needs a more honest standard for MFA. Adoption numbers are no longer enough. The real measure is whether the control can resist the techniques attackers are using now rather than the ones it was designed to stop years ago.

 

If MFA can still be bypassed through weak implementation, it should not be treated as a complete control. MFA remains essential, but too many organisations have mistaken deployment for protection and have gotten comfortable. In cyber-security, comfort is often a sign that the next attack is already being prepared. 

 

---

 

Ed Williams is Global Head of Pentesting at LevelBlue

 

Main image courtesy of iStockPhoto.com and Daniel Balakov