Just 18 months ago, MFA (Multi-Factor Authentication) bypass rates were below 1%. Today, those rates have climbed into double digits, according to Dr. Torsten George, Cybersecurity Evangelist at ID Dataweb.

Microsoft still reports that MFA blocks 99.9% of automated attacks, and that remains true. But 28% of users who have MFA enabled are being successfully targeted through SIM-jacking, MFA hammering, and adversary-in-the-middle attacks, according to JumpCloud. The gap between "MFA works against bots" and "MFA users still get compromised" tells you everything about how attackers adapted.

What changed in 18 months

Attackers increasingly log in rather than break in, George explained in a recent webcast. The mental image of hackers exploiting software vulnerabilities belongs to a different era. Modern attacks focus on stealing credentials, hijacking sessions, and exploiting the human elements that MFA can't protect.

Three forces converged to make this shift possible:

AI-powered phishing eliminated the obvious tells. Well-written, convincing phishing emails are now trivial to generate, eliminating the poor grammar and obvious red flags that defenders once relied on. What replaced it looks identical to legitimate corporate communications because it was trained on millions of them.

SIM swapping industrialized. SIM switch assaults increased by almost 400% compared to the previous year (ESET). Attackers don't need technical skills anymore. They need $300 to bribe a carrier employee or the social engineering tactics to convince customer service they're you. Once they control your phone number, every SMS code flows to them.

Session hijacking matured beyond MFA. Even hardware security keys and passkeys can be bypassed. Session token theft and help desk social engineering tactics, where groups like Scattered Spider exploited help desks, impersonated executives, and pressured staff into resetting MFA under urgent pretenses, show that the weakest link moved past the authentication mechanism itself.

The result: prompt bombing attacks represented 14% of social engineering incidents in 2024. These aren't sophisticated technical exploits. They're attackers flooding you with authentication requests until you approve one just to make it stop.

The attack that works when MFA doesn't

The Uber breach crystallized the new playbook. An attacker bought a contractor's VPN credentials on the dark web, then bombarded them with MFA push notifications. After the contractor initially resisted, the attacker posed as tech support, persuading the contractor to accept the MFA prompt and grant unauthorized access.

No encryption broken. No vulnerability exploited. Just patience and psychology.

Adrian Sanabria noted that nearly every breach he has analyzed in recent years involved some form of credential abuse. Even when a software exploit is used, attackers almost always pivot to identities afterward. MFA was built to verify you control a device or know a secret. It was never designed to verify you're authorized to use that device or that the session following authentication remains legitimate.

A successful login can no longer be assumed to be legitimate, Sanabria explained. An attack looks like a normal authentication event in the logs.

Why every MFA type has a bypass

Knowledge-based authentication? Questions such as which high school you attended can often easily be answered by looking at a target's social-media accounts.

SMS codes? With tens of millions of phone numbers reassigned each year, attackers can inherit MFA backup numbers tied to old employee accounts. SIM swapping handles the rest.

Email one-time passcodes? Intercepted the moment your email account gets compromised through the same credential theft that triggered the MFA request.

Push notifications? Prompt bombing exploits notification fatigue. Send enough requests and eventually someone approves one.

Hardware keys and passkeys (the current gold standard)? Session tokens can be stolen after successful authentication. Help desk social engineering can reset them entirely.

The technical solutions keep improving. The human element keeps breaking.

What defense looks like now

George explained that identity threat detection goes beyond traditional identity and access management by monitoring user behavior across the organization, correlating activity, detecting anomalies, and responding dynamically based on risk.

The shift is from "did they successfully authenticate?" to "does their behavior after authentication make sense?"

Practical implementations include:

App-based authenticators (Google Authenticator, Authy) that generate codes locally, eliminating the SMS channel vulnerability entirely.

Hardware security keys (YubiKey, FIDO2) that require physical possession, making remote session hijacking significantly harder.

Behavioral analytics that flag anomalies: a login from a new device in a different country, access patterns that don't match the user's normal behavior, lateral movement that suggests an attacker exploring the network.

Risk-based authentication that adds friction only when something looks wrong. Your usual device from your usual location? Minimal verification. High-risk action like a wire transfer or profile change? Additional checks required.

George emphasized that defenders must assume individual controls will fail and design layered, resilient systems. No single solution holds up under pressure. Defense requires assuming breach and building visibility into what happens after authentication succeeds.

The verification gap MFA can't close

Even the strongest MFA implementation addresses only half the problem. It verifies you control a device or possess a secret. It does nothing about whether you're a unique human who hasn't been banned before, or whether you're operating multiple accounts to manipulate systems.

This is where authentication diverges from verification. MFA answers "Is this login attempt from the authorized user?" It can't touch "Is this account operated by a unique human who hasn't violated our rules?"

Platforms need both. MFA secures the login. Human verification proves uniqueness and prevents the abuse patterns that credential-based authentication was never designed to catch: ban evasion, multi-accounting, coordinated manipulation.

The solution requires cryptographic proof of unique humanness scoped per platform. You verify once using biometric authentication. The proof travels with you across logins without revealing who you are. When you verify on Reddit, you prove you're a unique human on Reddit. Reddit knows you can't create multiple accounts to evade bans, but Reddit can't tell if you're the same verified person on Twitter.

Bans stick because evaders can't spin up new accounts. Communities can grant privileges to verified users (immediate posting access, voting rights, marketplace permissions) while unverified users participate at lower-stakes levels.

This complements strong MFA rather than replacing it. MFA secures access control. Human verification proves uniqueness and enables consequences. Together they address both the login problem and the identity problem.

MFA still works. It's just not enough.

The double-digit bypass rate isn't evidence that MFA failed. It's evidence that attackers stopped attacking MFA directly. They attack the humans using it, the sessions following it, and the assumptions platforms make about what authentication proves.

George urged organizations to reassess their identity strategies now, not later, emphasizing that with attackers adapting rapidly, static authentication controls can't keep pace.

MFA remains essential. Accounts without it get compromised constantly. But the assumption that MFA solves the identity problem has been obsolete for 18 months. We spent two decades building better authentication. Now we need to build better verification.