MFA-Bypass 2026: Why Your Second Factor No Longer Protects You

7 min Reading Time

59 percent of successfully compromised corporate accounts had multi-factor authentication (MFA) enabled. The reason: Adversary-in-the-Middle attacks (AiTM) and session token theft render the second factor ineffective. Microsoft reports 40,000 recognized AiTM incidents daily. SMS-based MFA is now considered insecure by the BSI (Federal Office for Information Security) and CISA. The solution is phishing-resistant authentication with FIDO2, passkeys, and hardware security keys.

TL;DR

🔒 59 percent of compromised accounts had MFA activated (Proofpoint 2026).
⚠️ AiTM attacks increased by 146 percent in 2025. Microsoft identifies 40,000 incidents daily.
🛡️ SMS-based MFA is considered insecure by the BSI and CISA. SIM swapping and SS7 exploits allow codes to be intercepted.
📊 Token theft became the primary attack method against Microsoft 365 in 2025 (31 percent of all breaches, Microsoft).
🔧 FIDO2 security keys and passkeys are cryptographically bound to the domain and immune to phishing and token theft.

146 %

Increase in Adversary-in-the-Middle attacks on corporate accounts in 2025

Source: Microsoft Entra ID Security Report, 2025

How AiTM Attacks Bypass MFA

Adversary-in-the-Middle attacks function like an invisible proxy between the user and the authentication server. The attacker routes the login page in real-time through their server. The user enters their credentials and the MFA code, the attacker intercepts both and obtains the session token. From the server’s perspective, the login was legitimate.

Frameworks like EvilGinx2 and Modlishka have automated these attacks. An attacker no longer needs deep technical expertise. They purchase a phishing kit for a few hundred dollars, register a deceptively similar domain, and wait for victims. The stolen session tokens are immediately usable and often valid for hours or days.

Identity-based attacks exploit this vector. According to Microsoft, token theft attacks were responsible for 31 percent of all breaches in Microsoft 365 environments in 2025. The trend is increasing as more companies enable MFA and attackers adapt.

“Token-Based Attacks completely bypass MFA because they do not attack the authentication but the session afterward. The attacker takes over an already authenticated session.”
Obsidian Security, Token-Based Attack Research 2025

Why SMS-MFA Is No Longer Sufficient

SMS as a second factor has three fundamental weaknesses. First: SIM swapping. An attacker convinces the mobile carrier to transfer the phone number to a new SIM card. Second: SS7 vulnerabilities. The signaling protocol of mobile networks allows SMS to be intercepted under certain conditions. Third: AiTM proxies intercept the SMS code in real-time before the user can enter it.

The BSI has recommended switching to phishing-resistant authentication methods since 2024. The CISA (U.S. counterpart to the BSI) also classifies SMS-MFA as “not phishing-resistant” and recommends FIDO2-based solutions.

Comparing Phishing-Resistant Alternatives

FIDO2/WebAuthn Security Keys (e.g., YubiKey, Google Titan): The safest option. The key is cryptographically bound to the domain. Even if a user falls for a phishing site, the key cannot authenticate for the wrong domain. Downside: Costs (starting at $25 per key) and logistics for large teams.

Passkeys (FIDO2 on the device): Smartphones or laptops replace the hardware key. Biometric authentication (fingerprint, Face ID) replaces the PIN. Domain binding like hardware keys. Advantage: No additional hardware. Downside: Dependence on the device manufacturer (Apple, Google, Microsoft).

Authenticator Apps with Number Matching (e.g., Microsoft Authenticator): Not complete phishing protection, but much better than SMS. Number Matching forces the user to enter a number from the screen into the app. AiTM attacks are made more difficult but not impossible.

Certificate-Based Authentication: Client certificates on managed devices. Very secure but complex to manage. Suitable for highly sensitive environments like KRITIS operators and authorities.

Practical Checklist: Implementing Phishing-Resistant MFA

1. Inventory: Which MFA methods are currently in use? How many users still use SMS or voice MFA? Microsoft Entra ID and Google Workspace offer reports on this.

2. Define Pilot Group: IT admins and executives first. These accounts are the most valuable targets and should be migrated to FIDO2 or passkeys first.

3. Configure Conditional Access: In Microsoft Entra ID, conditional access policies can enforce phishing-resistant MFA for specific resources (Authentication Strength: Phishing-resistant MFA).

4. Plan Fallback Options: What happens if a key is lost? Register at least two security keys per user. Configure temporary access passes (TAP) as an emergency option.

5. Gradually Disable SMS-MFA: Do not disable it immediately, but lock it out for new registrations via policy and migrate existing users by deadline. Microsoft offers “Authentication Methods Migration” reports for this.

31 %

Of all breaches in M365 environments are due to token theft

Source: Microsoft, 2025

Frequently Asked Questions

Is an authenticator app sufficient for MFA?

Authenticator apps with number matching are much safer than SMS but not completely phishing-resistant. AiTM attacks can intercept the input in real-time. For high-risk accounts (admins, executives, access to sensitive data), the BSI and CISA recommend FIDO2-based solutions.

How much does switching to FIDO2 security keys cost?

Hardware keys like YubiKey cost from $25 each. For a 100-person company with two keys per user (primary and backup key), the cost is around $5,000. Setup is natively supported in Microsoft Entra ID and Google Workspace and does not require additional infrastructure.

Can passkeys replace hardware keys?

For most companies, yes. Passkeys offer the same cryptographic security as FIDO2 keys but use the existing device (smartphone, laptop) instead of separate hardware. The trade-off: Passkeys are tied to the device and its ecosystem (Apple, Google, Microsoft). In case of device loss, a recovery process must be in place.

What is conditional access and why is it crucial for MFA security?

Conditional Access is a policy framework in Microsoft Entra ID (and similar systems) that enforces context-dependent access rules. A company can specify: Admins must use FIDO2, external access requires a managed device, token sessions are terminated after 4 hours. Without conditional access, MFA remains a checkbox rather than a strategy.

How do I detect AiTM attacks on my company?

Microsoft Entra ID shows suspicious sign-ins under “Risky Sign-Ins” with the risk details type “Anomalous Token.” Additionally, impossible travel alerts (login from two countries within an impossible timeframe) and session token usage from unknown IP addresses help.