MFA codes fail when the attacker can harvest them in real time and replay them inside the valid session window. The weakness is not the factor itself but the trust boundary around reset, recovery, and proxied login flows. If those paths are weak, the second factor only confirms the attacker’s timing, not the user’s intent.
#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.