Multi-factor authentication is widely considered a gold standard in access control. Organisations deploy it, tick the compliance box, and move on. But MFA bypass is now a documented, repeatable attack technique and it happens far more often than security teams realise.
Understanding why MFA fails starts with understanding how attackers approach it. They are not trying to break the cryptographic layer. They are exploiting human behaviour, session management, and implementation flaws.
The Most Common MFA Bypass Methods
Adversary-in-the-middle (AiTM) phishing is one of the most reliable techniques in use today. Tools like Evilginx2 act as reverse proxies, capturing session cookies after a user authenticates. The attacker replays that cookie without ever needing the second factor. By the time the user notices anything unusual, the session is already active.
SIM swapping remains a persistent problem, particularly where SMS-based codes are in use. Attackers socially engineer mobile network providers into transferring a victim’s number to an attacker-controlled SIM. The one-time code then lands in the wrong hands.
MFA fatigue attacks work differently. The attacker gains the victim’s credentials through phishing or a breach, then repeatedly triggers push notification requests. Many users, tired of the alerts, eventually approve one granting access without realising they have done so.
OAuth token theft is another vector that does not get enough attention. Poorly configured applications may expose long-lived tokens with broad scopes. A single stolen token can persist for days or weeks.
Why Implementation Matters More Than the Technology
The MFA solution itself is rarely the weak point. The gaps appear in how it is configured and enforced. Legacy authentication protocols such as IMAP and SMTP often sit outside MFA controls entirely. Attackers target these endpoints specifically because they bypass the modern login flow.
Conditional access policies that only apply to certain devices or locations can be circumvented by attackers who understand the policy logic. Gaps in coverage even small ones create usable entry points.
Web application penetration testing helps organisations identify exactly these kinds of gaps. A structured test exercises the authentication layer the way an attacker would, revealing weaknesses that automated tooling typically misses.
Session management is frequently overlooked. If tokens do not expire appropriately or can be replayed across sessions, the value of MFA drops significantly.
Practical Steps to Strengthen Your MFA Deployment
Switch from SMS-based codes to app-based authenticators or hardware tokens where possible. TOTP apps and FIDO2 keys are substantially harder to intercept or redirect.
Block legacy authentication protocols across your environment. Microsoft 365 and Azure AD both provide policies to enforce this. It is one of the highest-impact, lowest-effort changes you can make.
Review conditional access policies regularly. Test them against realistic attacker scenarios rather than assuming they work as intended.
Vulnerability scanning services can surface misconfigured authentication controls before attackers do. Running scheduled scans alongside manual testing gives you a more complete picture of your exposure.
Finally, consider phishing-resistant MFA standards for privileged accounts. FIDO2 authentication tied to hardware removes the social engineering element almost entirely.
The Bottom Line
MFA is not a silver bullet. It is a strong control that, when poorly implemented, can give organisations a false sense of security. The organisations that get this right treat MFA as one layer in a broader defence strategy not the final answer. Regular testing, policy reviews, and user education are what make the difference between authentication that works and authentication that looks like it works.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“MFA bypass is something we see regularly during red team engagements. The technology is sound, but the deployment gaps are what attackers exploit. Organisations should treat MFA configuration as an ongoing task, not a one-time setup.”