arrow_backBack to Blog
MFAPhishingIdentity SecurityMicrosoft 365

MFA Is Not Enough: Why You Need Phishing-Resistant Authentication

SMS codes and authenticator push notifications can be bypassed. Phishing-resistant MFA methods like passkeys and FIDO2 keys close the gap that traditional MFA leaves open.

person
Stefan Stoll
calendar_today
schedule3 min read

Multi-factor authentication is the most impactful single security measure any organization can deploy. That statement remains true. But it comes with a critical caveat: not all MFA methods are equal, and the most common ones are vulnerable to attacks that are now industrialized and widely available.

How Attackers Bypass Traditional MFA

The attack is called adversary-in-the-middle (AiTM) phishing. It works like this:

  1. The victim receives a convincing phishing email with a link to what appears to be the Microsoft 365 sign-in page
  2. The phishing page proxies the real Microsoft sign-in page in real time
  3. The victim enters their username, password, and MFA code — all of which pass through to Microsoft's real servers
  4. Microsoft validates the credentials and returns a session token
  5. The attacker captures the session token and uses it to access the victim's account

The victim completes authentication successfully and sees their normal inbox. They have no reason to suspect anything. Meanwhile, the attacker has a valid session token that bypasses all further MFA prompts.

This is not theoretical. AiTM phishing kits like EvilGinx are freely available. Microsoft's own Threat Intelligence team reported a campaign in 2023 that targeted over 10,000 organizations using exactly this technique.

Why SMS and Push Notifications Fail

SMS codes are the weakest MFA factor. They can be intercepted through SIM swapping, SS7 protocol exploitation, or simply read over the victim's shoulder. They are also fully vulnerable to AiTM attacks.

Authenticator push notifications are better but still vulnerable. MFA fatigue attacks — where the attacker repeatedly triggers push notifications until the exhausted user approves one — led to the Uber breach in 2022. Number matching (requiring the user to enter a number shown on the sign-in screen) reduces this risk but does not eliminate AiTM attacks.

TOTP codes (the six-digit rotating codes from authenticator apps) are vulnerable to the same AiTM proxy attack as SMS codes. The user enters the code on the fake page, it passes to the real server, and the session token is captured.

What Phishing-Resistant Means

Phishing-resistant authentication methods are cryptographically bound to the legitimate server. They cannot be proxied because the authentication challenge includes the real server's domain. If the user is on a phishing site, the authentication simply fails — there is nothing for the attacker to intercept.

Two methods qualify:

FIDO2 Security Keys

Physical hardware keys (YubiKey, Feitian, Google Titan) that authenticate via USB or NFC. The key performs a cryptographic handshake with the server that includes the origin domain. A phishing proxy cannot replicate this handshake because the domain does not match.

Cost: approximately 25–50 EUR per key. For an organization of 50 people, this is a 2,500 EUR one-time investment that eliminates the most common attack vector for account compromise.

Passkeys (Device-Bound)

Passkeys use the same FIDO2 protocol but store the credential in the device's secure enclave (TPM on Windows, Secure Enclave on Apple devices) rather than on a separate hardware key. They authenticate via biometrics (fingerprint, face recognition) and are equally resistant to phishing.

Microsoft Entra ID supports passkeys natively. Deployment requires no additional infrastructure — only Conditional Access policies that enforce phishing-resistant methods.

The Deployment Path

You do not need to replace all MFA at once. A phased approach:

  1. Admins first — require phishing-resistant MFA for all privileged accounts immediately. This is your highest-risk population.
  2. Register all users for passkeys — run a registration campaign. Most modern laptops and phones support passkeys natively.
  3. Enforce via Conditional Access — create a policy requiring authentication strength "Phishing-resistant MFA" for all users accessing sensitive applications.
  4. Phase out SMS — disable SMS as an MFA method once all users have registered phishing-resistant alternatives.

The Business Argument

The average cost of a business email compromise attack is 125,000 EUR for SMEs. A set of FIDO2 keys for your entire organization costs less than 3,000 EUR. The ROI calculation is not close.

More importantly: cyber insurance providers are increasingly asking whether organizations use phishing-resistant MFA. Those that do may qualify for reduced premiums. Those that do not may face exclusions for phishing-related claims.

Book a security consultation to plan your migration to phishing-resistant authentication.

person

About the Author

Stefan Stoll

Cloud Security Consultant specializing in Microsoft 365 security, NIS2 compliance, and Zero Trust architecture for German enterprises.

Discover More Insights

View all postsarrow_forward