TL;DR: Legacy MFA models built for 2015-era threats are increasingly vulnerable to MFA fatigue, reverse-proxy phishing, token theft, SIM swaps, OTP interception, and AI-driven social engineering, according to eMudhra. The security problem is no longer authentication alone, but whether trust is cryptographically anchored enough to survive modern deception and session abuse.
NHIMG editorial — based on content published by eMudhra: Why weak MFA may not survive 2026
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for privileged SaaS access?
A: Start with the identities that can export data or change access, including IdP admins, SaaS admins, and helpdesk staff.
Q: Why do push approvals and OTPs fail against modern MFA attacks?
A: Because both rely on something a user can be tricked into giving away or approving.
Q: What do security teams get wrong about MFA in identity attacks?
A: They often assume MFA ends the problem once the code is entered.
Practitioner guidance
- Prioritise phishing-resistant factors for high-risk access Move privileged users, admins, and remote access paths to FIDO2 security keys, certificate-based authentication, or device-bound passkeys.
- Extend MFA policy into the live session Add step-up rules for privileged actions, risky context changes, and anomalous access patterns.
- Separate human and machine authentication models Design a distinct control path for service accounts, workloads, and APIs using certificates, workload identity, and non-interactive access patterns.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's step-by-step reasoning for why FIDO2, certificate-based authentication, and device-bound passkeys reduce replay risk.
- The article's comparison of push-based MFA, OTPs, and cryptographic token models across human and machine access.
- The vendor's view on how AI-driven social engineering changes the design assumptions behind MFA.
- The product-specific integration angle for IAM, PAM, PKI, and Zero Trust environments.
👉 Read eMudhra's analysis of why weak MFA may not survive 2026 →
Weak MFA in 2026: are your controls keeping up?
Explore further
Cryptographic identity is replacing approval-based MFA because human decision gates no longer scale against modern attack design. Reverse-proxy phishing, OTP interception, and push fatigue all succeed by turning the user into the verification step. That makes the control dependent on judgment at the exact moment attackers are trying to manipulate it. The practitioner conclusion is that approval-led MFA is no longer a stable assurance model.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when an MFA bypass leads to account compromise?
A: Accountability should sit with the identity and access owner for the affected population, plus the security team responsible for authentication policy and monitoring. Governance frameworks such as Zero Trust and enterprise IAM controls require that sign-in, session trust and privileged access are designed and reviewed together, not separately.
👉 Read our full editorial: Why weak MFA is failing against 2026 attack techniques