Traditional MFA fails because many methods still depend on a code, prompt, or approval that an attacker can intercept, relay, or coerce in real time. Once the factor is replayable, the second step no longer proves the original user is present. That turns MFA into a weaker speed bump instead of a durable identity control.
Why This Matters for Security Teams
Phishing succeeds against traditional MFA because many deployed factors still prove only that someone can see or approve a challenge, not that the original user is truly present. A real-time relay, push fatigue, or coerced approval can turn a second factor into a low-friction bypass. NHI Management Group’s 52 NHI Breaches Analysis shows how quickly identity compromise can cascade once an attacker controls a valid credential path, which is why phishing-resistant design matters more than checkbox MFA.
This is not just a user-awareness problem. Security teams are now defending against adversaries who industrialise relay infrastructure, session theft, and token replay, while also probing help desks and recovery workflows. Guidance from CISA cyber threat advisories consistently treats identity compromise as an operational risk, not a narrow authentication event. In practice, many security teams encounter MFA bypass only after an attacker has already authenticated and moved into mailbox, VPN, or SaaS control planes rather than through intentional testing.
How It Works in Practice
The core weakness is that many MFA methods are replayable. A phishing kit can proxy the login flow in real time, capture the one-time code, or harvest a push approval and immediately use it against the legitimate service. If the factor is not cryptographically bound to the origin site, the verifier cannot distinguish the attacker’s relay from the real authentication session. That is why current guidance increasingly prefers phishing-resistant controls such as FIDO2/WebAuthn, which bind the assertion to the relying party and reduce relay risk.
Practical hardening usually combines multiple measures rather than relying on a single control:
- Use phishing-resistant factors for workforce access, especially for email, VPN, SSO, and admin portals.
- Prefer passkeys or hardware security keys over OTP codes or push-only approval.
- Disable legacy authentication paths that still accept basic prompts, older protocols, or app passwords.
- Apply conditional access so authentication strength matches the risk of the request.
- Monitor for impossible travel, unfamiliar device posture, and anomalous consent or recovery events.
For phishing-resistant design patterns, the OWASP NHI Top 10 and NIST-aligned identity guidance both reinforce the same operational point: the factor should be bound to the session and the origin, not merely presented during login. The Anthropic report on AI-orchestrated cyber espionage also illustrates how quickly automated attackers can chain access once a foothold exists. These controls tend to break down in environments that still depend on SMS OTP, outsourced help-desk resets, or mixed legacy and modern authentication stacks because the weakest accepted path becomes the bypass.
Common Variations and Edge Cases
Tighter authentication often increases rollout friction, user support load, and device-management overhead, so organisations have to balance phishing resistance against operational complexity. Best practice is evolving, and there is no universal standard for every workforce population yet.
Some environments still rely on OTPs for contractors, shared devices, or emergency access. That can be acceptable as a temporary exception, but it should be treated as an explicit risk decision with compensating controls such as step-up verification, short session lifetimes, and tighter monitoring. Push MFA also varies widely in quality: number matching is better than blind approval, but it still does not eliminate relay attacks if the session is stolen in real time.
High-risk roles deserve stronger treatment. Admins, finance teams, and identity operators should use hardware-bound credentials and separate recovery channels. For broader context on why identity abuse keeps appearing in real incidents, see Ultimate Guide to NHIs — Why NHI Security Matters Now and Top 10 NHI Issues. The practical cutoff is simple: once the organisation permits a replayable second factor, the attacker only needs one successful phish, not persistent access, because the authentication event itself can be borrowed and reused.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Focuses on weak or replayable authentication paths that enable identity takeover. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication strength are central to phishing-resistant access. |
| NIST SP 800-63 | SP 800-63B | Defines phishing-resistant authenticators and why OTP-style MFA is weaker. |
Replace replayable MFA with phishing-resistant, origin-bound authentication for privileged access.
