Can attackers bypass multi-factor authentication?

You’ve implemented multi-factor authentication across your business. Every account requires a second factor. You’re secure now, right?

Mostly yes. But not completely.

MFA remains one of the single most effective security measures you can deploy. Over 99.9% of compromised accounts lack MFA. But attackers are adapting, and understanding how they try to bypass MFA helps you choose the right type of MFA and train your employees to resist these techniques.

How MFA Is Being Bypassed

1. MFA Fatigue (Push Bombing)

This is the attack that made headlines. Here’s how it works:

1. The attacker has already stolen a user’s password (from a phishing attack, data breach, or dark web purchase)
2. They attempt to log in, triggering an MFA push notification to the user’s phone
3. The user declines the request
4. The attacker tries again. And again. And again.
5. At 2 AM, after the 50th notification, the exhausted user finally taps “Approve” just to make it stop

Or worse - the attacker contacts the user on WhatsApp or Teams, pretending to be IT support: “We’re doing a system migration. You’ll get an authentication prompt - please approve it.”

The Uber Breach

This is exactly what happened in the massive 2022 Uber breach. The Lapsus$ hacking group obtained a contractor’s VPN credentials and bombarded them with MFA push requests. When the contractor initially resisted, the attacker posed as IT support on WhatsApp, convincing them to approve the prompt. The result: full access to Uber’s internal systems.

2. Adversary-in-the-Middle (AiTM) Attacks

These sophisticated phishing attacks work like this:

1. The attacker sends a phishing email with a link to a fake login page
2. The fake page sits between the user and the real login page, proxying the traffic
3. The user enters their password - the attacker captures it and forwards it to the real site
4. The real site sends an MFA prompt - the user approves it
5. The attacker captures the authenticated session token
6. Now the attacker has a valid session and can bypass MFA entirely

This is particularly effective against push-based and SMS-based MFA because the user is interacting with what they believe is the real site.

3. SIM Swapping

For SMS-based MFA:

1. The attacker calls your mobile carrier pretending to be you
2. They convince the carrier to transfer your phone number to their SIM card
3. Now they receive your MFA text messages
4. They log into your accounts with your stolen password and intercept the SMS code

SIM swapping has become increasingly common. The attacker only needs a few personal details (often available from social media or previous data breaches) to convince a carrier employee to make the switch.

4. Session Hijacking

Even after successful MFA, attackers can steal the authenticated session:

• Malware on the user’s device captures session cookies
• The attacker uses these cookies to access the account from their own device
• No MFA prompt is triggered because the session is already authenticated

5. Social Engineering

The simplest bypass: just ask.

• Attacker calls the help desk pretending to be an employee who lost their phone
• Help desk resets MFA or provides a temporary bypass code
• Attacker uses the bypass to log in

This is how several major breaches in 2023-2025 occurred, including attacks on casino and hospitality companies.

Not All MFA Is Created Equal

The type of MFA you use dramatically affects your risk:

MFA Method	Security Level	Vulnerable To
SMS text codes	Weakest	SIM swapping, interception, social engineering
Email codes	Weak	Account compromise, interception
Push notifications (basic)	Moderate	MFA fatigue, AiTM attacks
Push with number matching	Strong	AiTM attacks (but fatigue-resistant)
Authenticator app (TOTP)	Strong	AiTM attacks, but not fatigue or SIM swapping
FIDO2 hardware keys	Strongest	Resistant to all known remote attacks

What Is Number Matching?

Instead of a simple “Approve/Deny” push notification, number matching shows a two-digit number on the login screen. The user must enter that same number in their authenticator app to approve. This prevents MFA fatigue attacks because you can’t approve without seeing the login screen.

Microsoft enabled number matching by default for all Authenticator push notifications in 2023. If you’re using Microsoft 365, verify this is active in your environment.

What Are FIDO2 Security Keys?

FIDO2 keys (like YubiKeys) are physical devices that provide cryptographic authentication. They’re considered the gold standard because:

• They can’t be phished (the key verifies the real website’s identity)
• There’s nothing to intercept (no codes transmitted)
• They can’t be remotely approved (physical possession required)
• They’re immune to MFA fatigue (no notifications to bombard)

For high-risk accounts (IT administrators, executives, finance), FIDO2 keys are worth the investment ($25-50 per key).

How to Harden Your MFA

Step 1: Upgrade Your MFA Methods

• Eliminate SMS-based MFA wherever possible
• Enable number matching on all push-based authentication
• Deploy FIDO2 keys for privileged accounts and high-risk users
• Use authenticator apps (Microsoft Authenticator, Google Authenticator) as a minimum standard

Step 2: Implement Rate Limiting

Configure your identity provider to:

• Lock accounts after 3-5 denied MFA attempts within a short window
• Alert security teams when MFA bombing is detected
• Temporarily disable push notifications for accounts experiencing repeated denials

Step 3: Add Conditional Access Policies

Layer additional controls on top of MFA:

• Block logins from impossible travel locations
• Require compliant devices for access to sensitive data
• Increase authentication requirements for unusual behavior
• Restrict access from risky IP addresses or countries

Step 4: Train Your People

Employees should know:

• Never approve an MFA prompt they didn’t initiate - if you didn’t just try to log in, deny it and report it
• IT will never ask you to approve an MFA prompt via text, chat, or phone
• Report repeated unsolicited MFA notifications to IT immediately - it means your password is compromised
• Verify help desk requests through your manager before providing any authentication information

Step 5: Secure Your Help Desk

The help desk is often the weakest link:

• Require identity verification before resetting MFA or providing bypass codes
• Use callback verification to a known phone number
• Log all MFA reset requests and review them regularly
• Implement time-limited bypass codes that expire quickly

MFA Is Still Essential

Despite these bypass techniques, the data is overwhelming: MFA stops the vast majority of attacks.

The 28% of users who have MFA enabled still get targeted, but the success rate for attackers drops dramatically. The goal isn’t to find a perfect solution - it’s to make your organization hard enough to break into that attackers move on.

Think of MFA like a deadbolt on your front door. A determined burglar with specialized tools can still get through. But most burglars will walk past your house and try the one with no deadbolt.

The Bottom Line

MFA is non-negotiable. But not all MFA is equal, and attackers are actively developing bypass techniques. The best defense is layered: strong MFA methods (hardware keys or push with number matching), conditional access policies, rate limiting, and trained employees who know that an unexpected MFA prompt is a red flag, not an inconvenience.

If you’re still using SMS-based MFA or basic push notifications without number matching, now is the time to upgrade.

---

Want to evaluate your MFA configuration and identify gaps? Contact us for a security assessment that covers authentication and access controls.