Multi-factor authentication (MFA) is a baseline security control, with enterprise adoption estimated at around 70% (though with meaningful variation by sector and company size). Having a second authentication factor prevents a stolen credential from being trivially exploited — as long as the authentication channel itself is not captured by a third party.
That said, like every other vector, attackers have adapted. MFA adoption has grown, but attacks have not declined. Techniques like adversary-in-the-middle (AiTM), push fatigue, and session hijacking bypass MFA without exploiting any protocol weakness — they exploit the trust logic that exists after authentication.
For service providers selling IT and security services, this gap is at once a risk for customers and an opportunity for technical differentiation.
##How MFA is bypassed in practice
The three vectors most used in active campaigns against companies and other organisations do not require the attacker to break MFA; they require the user to complete it legitimately.
Adversary-in-the-middle (AiTM)
The attacker places a reverse proxy (an intermediary that intercepts traffic between the user and the real service without either side noticing) between the user and the legitimate service (e.g. Microsoft 365).
The user authenticates normally, including the second factor. The proxy captures the already-authenticated session token (the temporary credential the browser stores to prove the session has been authenticated, so the user doesn't have to log in on every request) and, from that moment on, the attacker has access without needing credentials.
A simpler variant of this technique is, via phishing, convincing the user to enter their credentials into a site that closely mimics one they regularly use — to the point they can't tell them apart — including the second-factor prompt.
MFA push fatigue
The attacker sends dozens of consecutive push notifications until the user approves out of exhaustion or confusion. Without additional context (location, device, time of day), the system cannot distinguish a legitimate approval from one made out of fatigue.
SIM swapping and SMS interception
For organisations still using SMS as a second factor, the attack is more direct: the attacker uses social engineering to have the phone number transferred to a SIM card they control (a technique known as SIM swapping). From that point on, every verification SMS lands with the attacker.
##The illusion of post-authentication security
When "authenticated" doesn't mean "legitimate"
MFA solves a specific problem: making sure that whoever knows the password also possesses the second factor. It does not solve what happens after authentication.
A hijacked session token is indistinguishable from a legitimate session to most access-control systems. The user is "inside" and has access. From there, the attacker can:
- Exfiltrate emails and files from OneDrive or SharePoint;
- Set up forwarding rules to external addresses;
- Register a new MFA device for persistence;
- Move laterally to other services authenticated by the same IdP (Identity Provider, the central service that manages an organisation's authentications).
The gap between compromise and detection makes the problem worse. According to IBM's 2024 Cost of a Data Breach Report, the average time to identify a breach is around 194 days. In SMEs, without continuous monitoring, that number tends to be even higher.
The sales pitch that's being misused
Many service providers sell MFA as a complete identity-control solution. That creates two problems:
- The end customer is left with a false sense of coverage and security, believing MFA is the "magic box" that solves unauthorised access when in reality it is only the first line of defence;
- When an incident occurs that bypassed MFA, the provider's credibility is damaged. The customer may feel they paid for protection that didn't work, without realising that the issue wasn't MFA itself but the absence of additional layers of control and monitoring.
The correct framing is different: MFA is an authentication layer, not an identity strategy. The distinction matters as much in the technical conversation as in the commercial one.
##The stack beyond MFA
What to implement to close the gap
A robust identity strategy combines MFA with controls that operate after authentication. The most relevant layers for an enterprise context include:
Continuous monitoring of data and password leaks. A service that proactively and continuously detects whether corporate credentials, email addresses, and associated passwords have been exposed in dark-web forums, breached databases, or public repositories. When a credential is identified as compromised, a response flow is triggered automatically, with notification to the user and follow-up on the leak.
Conditional access with rich context. Policies that evaluate, in real time, the device, location, time of day, and behaviour before authorising access — even for already-authenticated sessions. Platforms such as Microsoft Entra ID and Okta support these policies. The partner who configures and maintains them delivers ongoing value, not just the initial setup.
Device posture verification. Checks whether the device meets minimum requirements such as patch level, an active EDR (endpoint detection and response software, more advanced than a traditional antivirus), or full-disk encryption, before authorising access to critical resources. Unmanaged or non-compliant devices are isolated or redirected to stricter policies.
Post-authentication anomaly monitoring. Detecting behaviour outside the norm, such as access to abnormal volumes of files, forwarding rules created out of hours, or login followed by data exports. This layer operates where MFA does not reach.
Active session revocation. The ability to invalidate session tokens in real time when an anomaly is detected, without waiting for the token's natural expiration.
How to explain and position this with the end customer
The argument is not "the MFA we installed isn't enough." The argument is that the attack surface has expanded and identity control needs to follow that evolution. The conversation with the customer should anchor on two concrete points:
- NIS2 requires, for in-scope organisations, risk-based access controls and incident response capabilities. Conditional Access and post-authentication monitoring map directly to these requirements. NIS2 also requires in-scope entities to ensure the security of their supply chain, which means security requirements don't stop at the regulated company's boundary. In practice, suppliers and partners that access systems, data, or infrastructure of a NIS2 entity are assessed and frequently bound by contract to demonstrate risk-based identity controls;
- The cost of an incident that bypassed MFA is materially higher than the cost of implementing the additional layers. IBM's Cost of a Data Breach 2024 estimates an average global breach cost of around €4.2M (approx. $4.9M). For SMEs, the proportional impact is often existential, given their smaller resources.
##The role of continuous diagnostics
Detect before you remediate
The layers described above require continuous visibility into what is configured and what is happening. A one-off diagnostic, run once a year, won't catch a forwarding rule created three weeks ago nor an unmanaged device that authenticated yesterday.
At CyberInspect we approach this problem with continuous cybersecurity testing of the organisation's external surface: analysis of ports and services exposed to the internet, detection of known vulnerabilities on externally accessible systems, and monitoring of compromised credentials on the dark web.
For the partner, this translates into a concrete capability: presenting the customer with an up-to-date picture of what is visible and exploitable from the outside — not an assessment that is months old and no longer practically relevant.
##Strategic security partners
MFA solves a real problem. But it leaves open the space where many modern attacks operate: the authenticated session, the hijacked token, the anomalous behaviour no authentication policy can catch.
Service providers who can articulate this distinction and put forward an offer that goes beyond the second factor position themselves as strategic security partners — not as toolinstallers.
One of the best ways to make end customers aware of identity-related risks is to continuously monitor whether the organisation's credentials show up in data leaks, something the CyberInspect ID Watch service does in a simple way and with high coverage.
Article originally published on cyberinspect.com and on itsecurity.pt.