You enabled two-factor authentication. Good call. But here's what most security guides skip: the biggest account takeovers of the past three years didn't require attackers to crack your 2FA code at all. They found ways to make you hand it over — or made the authentication step irrelevant entirely.
MFA fatigue attacks are now one of the most documented techniques in real breaches, and they work precisely because 2FA gave everyone a false sense of being done.
Why 2FA Still Gets Beaten in 2026
Traditional 2FA was designed to stop credential stuffing — someone stealing your password and trying to log in. For that specific threat, it works brilliantly. Microsoft's data shows MFA blocks over 99% of automated credential attacks.
The problem is the threat didn't stay still. Attackers noticed 2FA made the password less valuable, so they shifted focus: steal the session, exhaust the user, or reroute the auth flow entirely. These aren't exotic techniques. They show up in the Verizon DBIR every year, and the companies hit aren't careless ones.
The Three Techniques Hackers Use to Walk Past MFA
1. MFA Fatigue (Push Bombing)
An attacker who has your username and password triggers your push notification repeatedly — sometimes dozens of times overnight. Most people eventually tap "Approve" to make it stop. That single tap hands over a valid session token.
This exact method took down Uber in 2022. The attacker bought leaked credentials, bombed the contractor's phone with push requests, then sent a WhatsApp message posing as Uber IT saying "approve once and it'll stop." The contractor did. Game over.
Mitigation: Enable number matching on push apps. You type a two-digit code shown on your screen into the push prompt — blind approvals stop working immediately. Microsoft Authenticator and Duo both support this and Microsoft enabled it by default across Entra ID in 2023.
2. Adversary-in-the-Middle (AiTM) Attacks
An attacker sets up a proxy that looks identical to a real login page. When you log in through it:
- The proxy relays your credentials to the real site
- The real site sends back a 2FA challenge — the proxy relays that too
- You enter your code — the proxy captures your authenticated session cookie
- The attacker replays that cookie from a clean browser, no further auth required
You → [Fake Proxy] → Real Site
↓
Session Cookie stolen
↓
Attacker → [Replays Cookie] → Logged In
The session cookie is the key. Your 2FA was used — legitimately — to create a session the attacker now owns. The Verizon 2025 DBIR flags stolen session tokens as a growing proportion of breach vectors for exactly this reason.
Mitigation: Only passkeys and hardware security keys are immune to this. They use cryptographic proofs tied to the exact origin domain — a proxy gets a different challenge and the login fails silently.
3. SIM Swapping
An attacker calls your carrier posing as you — armed with info from data brokers or social media — and convinces a rep to transfer your number to a SIM they control. From that point, every SMS code sent to your phone goes to them instead.
No malware. Nothing on your device. The FTC has received thousands of SIM swap reports annually since 2021.
Mitigation: Move off SMS 2FA entirely for anything financial or high-value. Authenticator apps (Google Authenticator, Aegis, Authy) generate codes locally on your device — a SIM swap can't intercept them.
The 2FA Method Comparison
| Method | Stops Credential Stuffing | Stops Push Bombing | Stops AiTM | Stops SIM Swap |
|---|---|---|---|---|
| SMS OTP | ✅ | ✅ | ❌ | ❌ |
| Authenticator App (TOTP) | ✅ | ✅ | ❌ | ✅ |
| Push (standard) | ✅ | ❌ | ❌ | ✅ |
| Push + Number Matching | ✅ | ✅ | ❌ | ✅ |
| Hardware Key / Passkey | ✅ | ✅ | ✅ | ✅ |
What "Phishing-Resistant" Actually Means
Phishing-resistant MFA uses public-key cryptography where your device proves it's physically present at the real domain. There's no code to intercept, no push to trick you into approving, no SMS to redirect.
Both hardware security keys (YubiKey etc.) and passkeys qualify. FIDO Alliance reports 5 billion active passkeys worldwide as of 2026, and 68% of organizations surveyed are actively deploying them for employee sign-in. Google, Apple, and Microsoft have all made passkeys the default for new accounts.
The Practical Upgrade Path
You don't need to switch everything at once:
This week: Remove SMS 2FA from any financial account. Switch to an authenticator app — takes ~30 seconds per account in settings.
This month: Enable number matching on any push-based MFA app. Check your organization's Entra ID or Okta settings to confirm it's on.
When ready: Add a hardware key ($25–55 for a basic YubiKey) for email, password manager, and any admin access. Set up passkeys on Google, Apple, and GitHub — each takes under three minutes.
The goal isn't to scare you off 2FA — it's to make sure what you're running matches the current threat, not the threat from 2019. Getting off SMS and onto an authenticator app this week already moves you out of the most exploited tier.
Full breakdown with real breach examples: https://lucas8.com/mfa-fatigue-attack-two-factor-bypass
Top comments (0)