You turned on MFA. Good. You are already ahead of most people. But here is the thing most security advice leaves out: MFA is a speed bump, not a brick wall. Attackers have been bypassing it for years, and the techniques are getting cheaper and easier to pull off.

If your organization is onboarding summer interns right now, or rolling out new accounts for seasonal hires, this is the worst possible time to assume MFA alone has you covered. Fresh accounts with default MFA settings are exactly what attackers look for.

Let's walk through the five bypass techniques that are actively being used in the wild, then talk about what actually works.

1. SIM Swapping

This one has been around for years and it is still working. A SIM swap attack happens when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, every SMS verification code lands in their inbox instead of yours.

The social engineering involved is surprisingly low-effort. Attackers call the carrier, pretend to be you, and provide enough personal information (often scraped from data breaches or social media) to pass the identity check. Some attacks skip social engineering entirely and bribe carrier employees directly. In 2024, the FCC tightened rules around SIM transfers, but enforcement has been uneven and attacks continue.

If your MFA relies on SMS codes, a SIM swap turns it into a formality. The attacker has your password from a breach, they intercept your code, and they are in.

Who is at risk

Anyone using SMS-based MFA. High-value targets like executives, crypto holders, and IT administrators are the most common victims, but the technique scales to anyone.

2. Adversary-in-the-Middle (AitM) Phishing Proxies

This is the technique that breaks most MFA methods, including app-based TOTP codes. Tools like Evilginx and Modlishka make it accessible to attackers with moderate technical skill.

Here is how it works. The attacker sets up a phishing page that looks identical to the real login page. But instead of just collecting your credentials, the page acts as a transparent proxy. When you type your username and password, the proxy forwards them to the real site in real time. When the real site asks for your MFA code, the proxy shows you that prompt too. You enter the code, the proxy passes it through, and the real site authenticates the session.

The attacker then steals the session cookie. They do not need your password or your MFA code again. They just inject the session token into their own browser and they are logged in as you.

AitM phishing does not "crack" MFA. It sidesteps it entirely by sitting between you and the real service, relaying everything in real time.

This technique is effective against SMS codes, authenticator app codes (TOTP), and even push notifications. The only MFA methods it cannot beat are hardware-bound, origin-checking methods like FIDO2 security keys and passkeys. More on that later.

3. MFA Fatigue (Push Bombing)

This one is embarrassingly simple. If your organization uses push-based MFA (where you get a notification on your phone and tap "Approve"), an attacker with your stolen password can just spam you with approval requests.

They send request after request after request. At 2 AM. During meetings. While you are driving. Eventually, someone taps "Approve" just to make it stop. That is all it takes.

The 2022 Uber breach used this exact technique. The attacker bought stolen credentials, then bombarded an employee with push notifications for over an hour. The employee finally approved one. The attacker was inside the network.

Why it still works

Microsoft and others have rolled out number matching (where you have to type a displayed number instead of just tapping approve), but adoption is still inconsistent. If your push MFA does not require number matching, you are vulnerable to this today.

4. SS7 Interception

SS7 (Signaling System 7) is the protocol that telecom networks use to route calls and text messages. It was designed in the 1970s, and its security assumptions reflect that era. There is essentially no authentication between network nodes.

An attacker with access to the SS7 network (which can be purchased from shady telecom resellers for a few hundred dollars) can intercept SMS messages in transit. They do not need to swap your SIM or compromise your phone. They just redirect your text messages at the network level.

This is not theoretical. SS7 attacks have been documented against banks in Germany, political figures, and cryptocurrency wallets. The US government has acknowledged SS7 vulnerabilities for over a decade, but the protocol is deeply embedded in global telecom infrastructure and cannot be easily replaced.

For most individuals, SIM swapping is a more likely threat than SS7 interception. But for high-value targets and nation-state level attacks, SS7 exploitation is a proven technique.

5. Session Token Theft (Post-Authentication)

This bypass does not attack MFA during login. It attacks what happens after login.

Once you successfully authenticate (password plus MFA), the service issues a session token, usually stored as a cookie in your browser. That token is what keeps you logged in. If an attacker can steal that token, they can import it into their own browser and access your account without ever needing your credentials or MFA code.

How tokens get stolen

The uncomfortable truth is that MFA protects the front door, but session tokens are the keys you leave on the kitchen counter. If your endpoint is compromised, MFA becomes irrelevant.

MFA Methods Ranked: Weakest to Strongest

Not all MFA is created equal. Here is a straightforward ranking based on resistance to the attacks described above.

MFA Method Strength Vulnerable To
SMS OTP Weak SIM swap, SS7, AitM phishing
Email OTP Weak Account takeover, AitM phishing
TOTP Authenticator App Moderate AitM phishing, malware
Push Notification (no number match) Moderate MFA fatigue, AitM phishing
Push Notification (with number match) Strong AitM phishing (still possible)
FIDO2 Hardware Key (YubiKey, etc.) Best Physical theft only
Passkeys (device-bound) Best Device compromise only

The dividing line is clear. Everything below FIDO2 and passkeys can be phished. SMS and email OTP are security theater at this point. They are better than nothing, but not by as much as people think.

If your "two-factor" is a six-digit code texted to your phone, an attacker with a $20 phishing kit can capture it in real time and replay it before it expires. That is not security. That is a false sense of security.

Why FIDO2 and Passkeys Win

FIDO2 security keys (like a YubiKey) and passkeys resist phishing because they are cryptographically bound to the origin. When you register a security key with Google, the key stores a credential that is tied to google.com. If an attacker sends you to g00gle-login.com, the key simply will not respond. There is no code to intercept, no notification to approve, and no user decision to get wrong.

This is not a human discipline problem. It is a protocol-level guarantee. The key checks the domain automatically. AitM proxies fail because the proxy domain does not match the registered origin. SIM swaps are irrelevant because there is no phone number involved. Push bombing is impossible because there is no push notification.

Passkeys work on the same principle but are stored on your device (phone, laptop, or password manager) instead of a separate hardware key. They are more convenient but slightly less secure than a dedicated hardware key, since they depend on the security of the host device.

How to Set Up a YubiKey on Your Top 5 Accounts

If you are ready to move past phishable MFA, here is how to set up a FIDO2 security key on the accounts that matter most.

Google / Gmail

  1. Go to myaccount.google.com and navigate to Security
  2. Under "How you sign in to Google," select 2-Step Verification
  3. Click "Add security key" and insert your YubiKey when prompted
  4. Name the key and complete registration
  5. Enroll a second backup key if you have one

Microsoft 365 / Outlook

  1. Go to account.microsoft.com and select Security
  2. Choose "Advanced security options"
  3. Under "Ways to prove who you are," select "Add a new way to sign in"
  4. Choose "Use a security key" and follow the prompts to register your YubiKey

GitHub

  1. Go to Settings, then Password and Authentication
  2. Under "Two-factor methods," click "Register new security key"
  3. Insert your YubiKey, tap it when it blinks, and name it
  4. GitHub also supports passkeys natively as of 2024

AWS (IAM)

  1. Sign in to the AWS Console and go to IAM
  2. Select your user, then the "Security credentials" tab
  3. Under "Multi-factor authentication," click "Assign MFA device"
  4. Select "Security key" and follow the enrollment flow
  5. For root accounts, this should be your top priority

Password Manager (1Password, Bitwarden)

  1. In 1Password: go to Settings, then Security, then "Set up two-factor authentication" and register your key
  2. In Bitwarden: go to Settings, then Security, then "Two-step login," and enable FIDO2 WebAuthn
  3. This is arguably the most important account to protect, since it holds the keys to everything else

Pro tip: Always register two security keys. Keep the backup in a safe or safety deposit box. If you lose your primary key, you do not want to be locked out of every account.

For Businesses: Enforce Phishing-Resistant MFA with Conditional Access

Individual account hardening is a good start, but businesses need to enforce phishing-resistant MFA at the policy level. Relying on employees to make the right security choices is a strategy that fails at scale.

Why this matters during onboarding season

Summer interns and new hires are the highest-risk accounts in your environment. They are unfamiliar with your systems, they have not built security habits specific to your organization, and they are the most likely to fall for phishing or approve a rogue push notification. If you are onboarding people right now and handing them accounts with SMS MFA, you are creating the exact attack surface that threat actors look for.

What to do in Microsoft Entra ID (Azure AD)

  1. Create a Conditional Access policy that requires phishing-resistant MFA (authentication strength = "Phishing-resistant MFA") for all users accessing sensitive resources
  2. Block legacy authentication protocols that cannot support modern MFA
  3. Require compliant devices so that even with a valid session token, access from unmanaged machines is denied
  4. Set token lifetime policies to reduce the window for session token theft
  5. Enable Continuous Access Evaluation (CAE) to revoke tokens in near-real-time when risk is detected

What to do in Google Workspace

  1. Go to Admin Console, then Security, then Authentication
  2. Under "2-Step Verification," set enforcement to "Security key only" for high-risk groups
  3. Disable SMS and voice call verification as allowed methods
  4. Enroll users in Google's Advanced Protection Program for maximum hardening

General policy recommendations

The goal is not to make MFA harder for your employees. It is to make MFA useless for attackers. Phishing-resistant methods do both.

The Bottom Line

MFA is not broken. But the most common implementations of MFA have known, exploitable weaknesses. SMS codes are the worst offenders, but even authenticator apps and push notifications can be bypassed by a motivated attacker with the right tools.

The fix is not to abandon MFA. It is to upgrade to phishing-resistant methods. FIDO2 hardware keys and passkeys are the only MFA methods that hold up against real-world attack techniques. Everything else is a compromise.

If you are a business, enforce it at the policy level. If you are an individual, start with your most important accounts and work down. Either way, stop treating SMS codes as real security. In 2025, they are not.