Where Organizations Fall Short with MFA

Written by

Multi-factor authentication (MFA) is effectively non-negotiable in 2026. It's a key defense against account compromise, which is why MFA is almost universally recommended by security frameworks and required by many cyber insurance providers.

That confidence isn't misplaced, as MFA is highly effective at stopping automated attacks that rely on stolen or weak passwords. However, the threat landscape has evolved. An organization may check the MFA box for compliance purposes while still relying on authentication methods that attackers now know how to target.

The question for security leaders is no longer whether MFA is enabled. It's whether the type of MFA being used can withstand the attack techniques being deployed today.

Why Phishing and Fatigue-Resistant Factors Matter

The security industry increasingly favors phishing-resistant MFA when discussing truly secure implementations, as most MFA breaches don't involve breaking the authentication factor itself. Instead, attackers use phishing pages, adversary-in-the-middle tools, social engineering, or MFA fatigue techniques to trick users into approving a login or handing over credentials.

Phishing-resistant methods, such as FIDO2 security keys and passkeys, address these weaknesses by using cryptographic authentication tied to a legitimate website or application. Even if a user is directed to a convincing phishing page, the authentication attempt will fail because the credentials cannot be reused elsewhere.

This shift is also reflected in government guidance. CISA recommends phishing-resistant MFA as the preferred approach for protecting sensitive systems, while U.S. federal agencies are increasingly required to adopt phishing-resistant authentication methods as part of broader cybersecurity modernization efforts.

It’s here that solutions like Specops Secure Access help organizations implement strong, phishing-resistant authentication. By adding secure MFA to Windows Logon, Remote Desk Protocol and VPN connections, Specops Secure Access increases security across an organization’s workforce, wherever they are. It also includes SSO support for SaaS applications via OIDC and SAML, and allows users to authenticate with text messages, hardware tokens like Yubikey, or third-party providers like Microsoft Authenticator.

Specops Secure Access
Specops Secure Access

The MFA Security Hierarchy

While any form of MFA is generally preferable to relying on passwords alone, the security differences between authentication methods can be significant.

SMS-Based Codes

SMS authentication remains widely used because it's familiar and easy to deploy. However, from a security perspective, it's generally considered one of the weaker MFA options.

The most common concern is SIM swapping. In these attacks, criminals convince a mobile carrier to transfer a victim's phone number to a SIM card under their control. Once the transfer is complete, any authentication codes sent by SMS are delivered directly to the attacker.

SMS authentication is also vulnerable to other attack methods, including phishing attacks that capture codes in real time, malware on compromised devices, and weaknesses in legacy telecommunications infrastructure.

While SMS-based MFA raises the barrier for attackers, organizations should view it as a minimum standard rather than a long-term authentication strategy.

Push Notifications

Push-based authentication offers a smoother user experience than manually entering codes and is commonly used by platforms such as Microsoft Authenticator and Duo.

However, organizations need to be aware of MFA fatigue attacks, sometimes referred to as prompt bombing. If an attacker has already obtained an account password, they can repeatedly trigger authentication requests in the hope that the user eventually approves one.

In several high-profile breaches, including incidents involving Uber and Cisco, attackers successfully gained access after overwhelming a target account with repeated approval requests.

The risk is highest when push notifications require nothing more than tapping "Approve." Implementations that use number matching or additional verification steps provide significantly stronger protection by requiring users to actively confirm the login attempt.

For organizations using push notifications, enabling these additional safeguards is an important step in reducing the effectiveness of MFA fatigue attacks.

Time-Based One-time Passwords (TOTP)

Authenticator apps that generate rotating numeric codes, such as Google Authenticator and Microsoft Authenticator in TOTP mode, provide a stronger alternative to both SMS and basic push notifications.

Because the codes are generated locally on the device, they aren't dependent on mobile networks and can't be compromised through SIM-swapping attacks. The short validity period also limits the time available for attackers to use a stolen code.

TOTP is not completely resistant to phishing. Attackers can create convincing fake login pages that capture both passwords and authentication codes before relaying them to the legitimate service. If done quickly enough, the attacker may still be able to authenticate successfully.

Even with this limitation, TOTP remains a practical and effective option for many organizations. It is widely supported, relatively easy for users to adopt, and provides a meaningful security improvement over older MFA methods.

Hardware Security Keys

Security keys based on FIDO2 and WebAuthn standards provide the strongest level of protection currently available for most organizations.

Unlike code-based authentication methods, security keys are physical devices, like YubiKeys, and use cryptographic authentication tied to specific domains. If a user is directed to a phishing site, the key will not authenticate because the domain does not match the legitimate service.

This approach effectively protects against many of the attacks that continue to bypass traditional MFA, including phishing, adversary-in-the-middle attacks, and MFA fatigue techniques.

The primary challenges are operational rather than technical. Organizations must purchase and distribute physical keys, manage replacement processes, and ensure users have access to backup authentication methods if a key is lost or unavailable.

Despite these considerations, security keys are widely regarded as the most effective option for organizations looking to implement phishing-resistant MFA.

Secure Your Accounts with Specops

With Specops Secure Access, you can increase your organization’s defenses against Active Directory password attacks, as well as fulfill compliance and cybersecurity insurance requirements. If you’re interested in seeing how Specops Secure Access could work in your environment, contact us today or book a demo.

What’s Hot on Infosecurity Magazine?