MFA Is Not Enough Anymore: What West Hills Businesses Need to Know

Overview

MFA adds a second verification step to the login process — typically a code sent by text, generated by an app, or delivered through a push notification. When it works as intended, a stolen password is not enough to access the account. The attacker also needs the second factor, which they do not have.

The problem is that attackers have developed techniques that do not require stealing the second factor. They bypass it entirely, intercept it in transit, or trick the user into approving access without realizing it. As part of a layered cybersecurity strategy, MFA still provides meaningful protection — but it is no longer sufficient on its own.

The Challenge

Three techniques have made MFA bypass increasingly common. The first is MFA fatigue — attackers repeatedly send push notification approval requests until the user approves one out of frustration or confusion. The second is adversary-in-the-middle phishing, where a fake login page captures credentials and the MFA token simultaneously, relaying them to the real service in real time. The third is SIM swapping, where attackers convince a mobile carrier to transfer a victim's phone number to an attacker-controlled device, intercepting SMS codes.

None of these techniques require breaking encryption or exploiting software vulnerabilities. They rely on human behavior and the design limitations of common MFA implementations. Without managed oversight and user awareness, most organizations would not detect a successful bypass until after the account had already been compromised.

Why It Matters

Account compromise is one of the most common starting points for larger incidents. A compromised email account gives attackers access to business communications, password reset flows for other systems, financial requests, and sensitive client information. In healthcare, a compromised account can expose patient records. In legal services, it can expose privileged communications. In financial services, it can enable fraudulent transactions.

Organizations that have enabled MFA and moved on — without considering whether their implementation is phishing-resistant, without training users to recognize suspicious approval requests, and without monitoring for unusual login activity — have a false sense of protection. The control exists, but its effectiveness has been reduced by attacker adaptation.

What Organizations Should Watch For

• Users approving MFA push requests they did not initiate.
• MFA implemented via SMS text message on high-value accounts.
• No monitoring or alerting for unusual login locations or times.
• Users who do not know what to do when they receive an unexpected MFA prompt.
• Accounts protected only by MFA with no conditional access or device trust policies.
• No process for investigating or responding to failed MFA attempts.

Recommended Actions

• Move high-value accounts from SMS-based MFA to authenticator apps or hardware keys.
• Train users to reject unexpected MFA prompts immediately and report them.
• Enable number matching or additional context in push notification MFA where available.
• Implement conditional access policies that restrict logins from unexpected locations or devices.
• Monitor for failed MFA attempts and unusual login patterns as part of routine security review.
• Consider phishing-resistant MFA — such as FIDO2 hardware keys — for administrative and privileged accounts.