They remain risky because the user can approve or enter a code into a phishing proxy, and the attacker can relay that approval to the real service. They prove user participation, but not the origin of the request, which is exactly what AiTM attacks exploit.
Why This Matters for Security Teams
Push, TOTP, and SMS often get grouped under “MFA,” but that label can hide a critical weakness: they mainly prove that a user participated, not that the request originated from a trusted device, channel, or context. That distinction matters because modern phishing kits and AiTM proxies can capture a code or approval in real time and relay it to the legitimate service. NIST’s Cybersecurity Framework 2.0 reinforces the need to reduce identity risk, not just add factors.
NHIMG research on the OWASP NHI Top 10 and the Top 10 NHI Issues shows a broader pattern that also applies to human sign-in flows: when trust is built around secrets and approvals alone, attackers look for the relay point, not the credential vault. The same lesson appears in real breaches, including the Microsoft Midnight Blizzard breach, where identity assurance gaps became operational risk.
In practice, many security teams encounter MFA bypass only after a phishing proxy has already harvested a valid session or approval, rather than through intentional red-team validation.
How It Works in Practice
The core problem is that push, TOTP, and SMS are transferable in the moment they are used. A phished one-time code can be replayed within its validity window. A push prompt can be approved under social engineering pressure. An SMS code can be intercepted through SIM swap, malware, or message forwarding. None of these factors reliably binds the authentication event to a trusted origin.
Current guidance increasingly favors phishing-resistant methods such as FIDO2/WebAuthn because they bind the authentication ceremony to the legitimate origin and a cryptographic key held on the device. That is a materially stronger assurance model than shared secrets or one-time codes. For organisations evaluating this shift, the Ultimate Guide to NHIs — Why NHI Security Matters Now is useful for understanding how identity assurance fails when the attacker controls the interaction layer. For implementation patterns around stronger access decisions, NIST Cybersecurity Framework 2.0 provides a risk-based structure.
- Use push, TOTP, and SMS only as transitional controls, not as the end state for privileged or high-risk access.
- Require phishing-resistant MFA for admins, finance, support desks, and remote access paths that lead to sensitive systems.
- Pair authentication with device posture, session risk, and impossible-travel detection so approval alone is not enough.
- Reduce reliance on SMS where SIM swap and telephony interception are realistic threats.
These controls tend to break down in high-friction help desk reset flows because attackers exploit the fallback path faster than the primary login policy.
Common Variations and Edge Cases
Tighter authentication often increases user friction and rollout cost, so organisations have to balance phishing resistance against operational disruption. That tradeoff is real, especially where legacy apps, remote work, or third-party access still depend on basic MFA methods.
There is no universal standard for this yet, but current guidance suggests treating push, TOTP, and SMS as lower-assurance factors for anything that can trigger privilege escalation, payment activity, or sensitive data access. In those cases, step-up controls should be context-aware and paired with stronger methods where possible. For example, a low-risk internal portal may tolerate TOTP temporarily, while an admin console should not. The 2024 ESG Report: Managing Non-Human Identities highlights how quickly identity weaknesses become repeated incidents once attackers find a weak trust point.
Security teams should also remember that mfa fatigue attacks and approval bombing change the risk profile of push-based systems. If a workflow cannot distinguish legitimate intent from coerced or relayed approval, it is authentication only in the narrowest sense. For deeper identity governance context, the Ultimate Guide to NHIs — Key Challenges and Risks is a useful reference point.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication strength are central to phishing-resistant MFA. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Highlights credential interception and relay risks that also affect human MFA flows. |
| NIST AI RMF | Risk governance must account for identity and access failures in AI-enabled systems. |
Replace weak MFA with stronger authentication methods for privileged and sensitive access paths.
