Measuring MFA’s Defensive Muscle in 2025

A.R. Perez, Netlok. 7/8/2025

Multi-factor authentication (MFA) was once hailed as a near-perfect shield, yet recent headline breaches prove attackers are not only slipping past it—they are doing so at an accelerating pace. This report ranks today’s most common MFA combinations from weakest to strongest and quantifies the sharp rise in MFA-related attacks between 2023 and 2025. It should be noted that Photolok^Ò (a passwordless MFA factor that uses proprietary-coded photos) is not included in this analysis.

Why MFA Strength Varies

Every MFA scheme marries at least two factors—knowledge (password/PIN), possession (token/phone), or inherence (biometric). Security depends on:

• Transport security (Is any secret sent over a channel that can be intercepted?)
• Phishing resistance (Can the user’s factor be replayed to a fake site?)
• Device binding (Is the factor cryptographically locked to a specific device?)
• User behavior (Can social engineering or “MFA fatigue” trick users into approving?)

Ranking MFA Combinations

Rank	Typical Combination	Core Weaknesses	Core Strengths	Verdict
8 (Strongest)	Hardware passkey + on-device biometric (FIDO2/WebAuthn)	None of the factor data ever leaves the device; resistant to phishing and replay 1, 2	Cryptographic challenge tied to hardware; biometric unlock 3 4	Phishing-resistant, passwordless gold standard
7	Password + hardware security key (FIDO2/U2F)	Requires user to manage key inventory	Cryptographic possession factor blocks replay 5, 1	Best “password-plus” model
6	Password + smart-card/PKI token (PIV/CAC)	Complex deployment & driver issues	Mutual certificate validation; device binding 2	Enterprise-grade where supported
5	Password + platform biometric (e.g., Windows Hello, Face ID)	Biometric unlock is local; underlying session can be phished if fallback to password allowed 4	User-friendly; device-tied secrets6	Good for mainstream use but still password-dependent
4	Password + number-matching push or TOTP-hardware token	Phishable one-time codes; token theft possible7, 8	Short validity window, no SMS channel	Mid-level protection
3	Password + generic authenticator-app TOTP (30-second code)	Real-time phishing proxies capture code 9	No carrier reliance; easy rollout 7	Better than SMS, still phishable
2	Password + push notification (“Approve/Deny”)	MFA-fatigue bombing & social-engineering approvals10, 11	User convenience	Frequently bypassed by prompt bombing
1 (Weakest)	Password + SMS/voice code	SIM-swap, SS7 intercept, no encryption 12, 13	Universal availability	Should be phased out per CISA and NIST guidance 2,  14

Key Takeaways

• SMS and voice codes are now the attacker’s easiest door. SIM-swapping and SS7 attacks routinely hijack these one-time codes 12, 13.
• Push bombing moved classic push to “low trust.” Repeated prompts trick users into approvals; number-matching mitigates but doesn’t eliminate risk 10, 9.
• TOTP is safer than SMS but still phishable. Transparent reverse-proxy kits like EvilProxy harvest codes in real time 9.
• Phishing-resistant authentication begins with FIDO2/WebAuthn. Hardware-backed keys or passkeys neutralize man-in-the-middle attacks by binding credentials to the correct origin 12.

The Surge in MFA-Focused Attacks (2023-2025)

Year	Representative Study	Metric Reported	Indicator of MFA Attack Activity
2023	Okta “State of Secure Identity 2023”	12.7% of all MFA attempts on Okta’s Customer Identity Cloud were outright bypass attacks 15	Baseline showing bypass in production traffic
2023	Kroll “Rise in MFA Bypass” (Oct 2023)	90% of BEC cases investigated had MFA in place when accounts were compromised 16	Confirms attackers pivoting to MFA-enabled targets
2024	Cisco Talos IR Q1 2024	≈50% of incident-response cases involved failure or bypass of MFA controls 10, 17	Doubling of bypass prevalence over 2023 baseline
2024	Proofpoint “State of the Phish 2024”	Phishing frameworks such as EvilProxy observed in ≈1 million threats per month, explicitly harvesting MFA cookies 18	Commodity kits fueling large-scale bypass
2025	Netrix Global “New Wave of MFA Bypass Attacks” (Jun 2025)	Advises a “surge” but no percentage; corroborated by FRSecure IR 2024-25 where 79% of BEC victims had correctly implemented MFA yet were breached 19	MFA bypass now dominant in BEC incidents
2025	eSentire Q1 2025 Report	BEC attacks (often MFA bypass via Tycoon 2FA) rose 60% YoY, now 41% of all attacks 20	Attack volume and proportion at all-time high

Visualizing the Climb

Year	Reported MFA-Attack Rate*	Year-over-Year Change
2023	12.7%–-90% depending on vertical (baseline)	—
2024	≈50% of IR cases involve MFA bypass 10, 17	+~35 pp from Okta baseline
	79% of BEC victims breached despite MFA 19	+29 pp vs 2024 IR data

*Rates come from different datasets (CIAM traffic, IR engagements, BEC breaches). While scopes vary, all show the same climbing trajectory.

Why the Rate Keeps Rising

Commodity Phishing-as-a-Service (PhaaS)

• Kits like Tycoon 2FA and EvilProxy package adversary-in-the-middle techniques for <$300 20, 21.
• No elite skills required; proxy auto-captures TOTP, push, and even session cookies.

Token Theft & Session Hijacking

• Malware or browser extensions steal stored cookies, rendering second factors moot 9, 19.
• Stolen session tokens sell in criminal markets for as little as $10 per corporate user 20.

MFA Fatigue & Social Engineering

• Push-bombing remains effective: Uber, Microsoft, and EA all fell to approval spamming 11, 9.
• Help-desk impersonation convinces IT staff to reset credentials or enroll attacker devices 16.

Weak Factor Mix

• SMS remains the default in consumer apps—96% of Coinbase account-takeover victims relied on SMS OTP 13.
• Many enterprises lack Conditional Access or token-binding, letting hijacked sessions roam free 22.

Hardening the Human-Machine Perimeter

1. Phase Out Legacy Factors

• Block SMS/voice codes for privileged accounts; require authenticator apps or keys instead12, 2.

2. Enforce Phishing-Resistant MFA

• Deploy FIDO2/WebAuthn passkeys or security keys for all admins and high-risk roles 12.
• Use token-binding or Microsoft Entra ID’s token protection to neutralize session-theft attacks 22.

3. Strengthen Push Workflows

• Mandate number-matching or challenge-response for any push-based approvals 9.
• Limit consecutive push requests and alert security operations on excessive prompts 11.

4. Layer Conditional Access & Risk-Based Controls

• Require device compliance, geolocation heuristics, and continuous session monitoring to catch hijacked tokens in flight 22.

5. Educate to Eradicate MFA Fatigue

• Simulate AiTM phishing and push-bomb drills so users recognize and report anomalies 23, 16.
• Reinforce “never approve unexpected prompts” in monthly training cycles.

Conclusion

Attackers’ ability to sidestep MFA has grown from isolated exploits in 2023 to industrial-scale commodity services in 2025. Organizations that cling to password-plus-SMS or push-only MFA now occupy the bottom rung of the strength ladder and face a sharply rising threat curve. Yet the solution is within reach: broad adoption of phishing-resistant, device-bound authentication—coupled with risk-aware access controls—flips the cost curve back onto the attacker. Upgrade the factors, shrink the attack surface, and keep users from approving the next rogue prompt. One novel method of upgrading factors is to use Photolok – a passwordless factor that uses steganographic coded photos that also protects against AI/ML attacks as well as provides lateral movement penetrations due to its unique architecture.

1. https://fidoalliance.org/fido2/
2. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
3. https://www.trout.software/resources/tech-blog/fido2-and-passkeys-the-future-of-mfa-for-critical-infrastructure
4. https://www.security.com/blogs/expert-perspectives/secret-phishing-resistant-authentication
5. https://hideez.com/blogs/news/fido2-explained
6. https://tjdeed.com/combating-phishing-attacks-with-passwordless-fido2-authentication/
7. https://stytch.com/blog/totp-vs-sms/
8. https://rublon.com/blog/sms-vs-totp/
9. https://www.menlosecurity.com/blog/the-art-of-mfa-bypass-how-attackers-regularly-beat-two-factor-authentication
10. https://www.cybersecuritydive.com/news/mfa-multi-factor-authentication-cisco-talos-cyber/719254/
11. https://www.sapphire.net/blogs-press-releases/the-rise-of-mfa-fatigue-attacks/
12. https://cyberhoot.com/blog/top-five-risks-from-sms-based-mfa/
13. https://www.authsignal.com/blog/articles/why-sms-based-authentication-is-no-longer-enough-for-secure-account-protection
14. https://community.ring.com/en_GB/conversations/general-topics/multifactor-authentication-using-sms-is-the-least-secure/6580381451f6e6fe78d31ec5
15. https://www.okta.com/newsroom/articles/key-findings-from-our-2023-state-of-secure-identity-report/
16. https://www.kroll.com/en/insights/publications/cyber/mfa-bypass-leads-to-account-compromise
17. https://www.descope.com/learn/post/mfa-bypass
18. https://www.infosecurity-magazine.com/news/orgs-inected-ransomware-2023/
19. https://frsecure.com/blog/token-theft-attacks-mfa-defeat/
20. https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
21. https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/
22. https://www.egroup-us.com/news/microsoft-entra-id-security-2025/
23. https://www.waterisac.org/portal/ransomware-resilience-%E2%80%93-mfa-bypass-seen-largest-attack-vector-ransomware-attacks
24. https://www.rsa.com/wp-content/uploads/rsa-top-trends-in-identity-2025.pdf
25. https://jumpcloud.com/blog/multi-factor-authentication-statistics
26. https://www.enzoic.com/blog/microsoft-digital-defense-report-mfa-vulnerabilities/
27. https://netrixglobal.com/blog/cybersecurity/navigating-the-new-wave-of-mfa-bypass-attacks-in-2025/?category=office+365%2Co365%2Coffice+365+pnp
28. https://expertinsights.com/user-auth/multi-factor-authentication-statistics
29. https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
30. https://emudhra.com/en-us/blog/mfa-solutions-trends-to-watch-out-for-in-2025
31. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023
32. https://www.greystoneprograms.org/post/cyber-security-trends-in-2025
33. https://www.rapid7.com/blog/post/2025/04/10/password-spray-attacks-taking-advantage-of-lax-mfa/
34. https://www.forbes.com/sites/daveywinder/2024/12/25/google-and-microsoft-users-warned-as-new-2fa-bypass-attacks-reported/
35. https://www.rsa.com/resources/blog/multi-factor-authentication/the-future-of-mfa-adaptive-authentication-and-other-trends/
36. https://keepnetlabs.com/blog/understanding-mfa-phishing-protection-measures-and-key-statistics
37. https://www.cisa.gov/resources-tools/resources/phishing-resistant-multi-factor-authentication-mfa-success-story-usdas-fast-identity-online-fido
38. https://www.creative-n.com/blog/mfa-fatigue-attacks-what-are-they-and-how-can-your-business-combat-them/
39. https://vanishid.com/2023/09/07/kroll-august-2023-sim-swap-attack/
40. https://explodingtopics.com/blog/multi-factor-authentication-stats
41. https://www.f5.com/labs/articles/threat-intelligence/2023-identity-threat-report-the-unpatchables
42. https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q2-2023-threat-landscape-report-supply-chain-infiltrations
43. https://www.statista.com/statistics/1458607/mfa-account-takeover-global/
44. https://www.reddit.com/r/cybersecurity/comments/13pu8ds/the_problem_with_smsbased_mfa_in_2023_and/
45. https://www.kroll.com/-/media/kroll/pdfs/publications/q2-2023-threat-landscape-report-supply-chain-infiltrations.pdf
46. https://cyberwyoming.org/insights-from-the-itrc-2024-data-breach-report-mfa/
47. https://www.army.mil/article/280598/secure_our_world_cecom_recommends_enabling_multifactor_authentication_to_enhance_cybersecurity
48. https://www.prove.com/blog/prove-identity-2023-state-of-mfa-report-consumer-attitudes-multi-factor-authentication
49. https://www.swidch.com/resources/blogs/2fa-mfa-the-good-the-bad-the-ugly
50. https://www.menlosecurity.com/press-releases/browser-based-phishing-attacks-increased-198-in-2023-as-threat-actors-grow-more-evasive-menlo-security-research-finds
51. https://hub.wpi.edu/spread/148/secure-it-october-2023
52. https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2023-threat-landscape-report-threat-actors-breach-outer-limits
53. https://www.infosecurity-magazine.com/news/majority-compromises-stolen/
54. https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
55. https://www.reddit.com/r/msp/comments/1jr46aw/365_account_comprise_bypassing_mfa_and_sending/
56. https://hoxhunt.com/blog/business-email-compromise-statistics
57. https://www.isaca.org/resources/news-and-trends/industry-news/2025/will-mfa-redefine-cyberdefense-in-the-21st-century
58. https://www.indusface.com/blog/key-cybersecurity-statistics/
59. https://blog.lastpass.com/posts/business-email-compromise
60. https://blueprint.asd.gov.au/configuration/entra-id/protection/risky-activities/multifactor-authentication/account-lockout/
61. https://www.scworld.com/feature/how-attackers-outsmart-mfa-in-2025
62. https://hoxhunt.com/guide/phishing-trends-report
63. https://learn.microsoft.com/en-us/partner-center/security/security-at-your-organization
64. https://arcticwolf.com/resources/blog/defending-against-business-email-compromise/
65. https://www.cobalt.io/blog/top-cybersecurity-statistics-2025
66. https://www.huntress.com/blog/cybersecurity-statistics
67. https://www.linkedin.com/pulse/business-email-compromise-bec-most-expensive-youll-xutwc
68. https://www.intrust-it.com/understanding-mfa-bypass-attacks/
69. https://www.reddit.com/r/privacy/comments/rf0xno/is_2fa_with_authenticator_apps_really_more_secure/
70. https://rokibulroni.com/blog/fido2-passkeys-modern-authentication-2025/
71. https://www.corbado.com/blog/best-fido2-hardware-security-keys
72. https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/phishing-resistant-auth.htm
73. https://www.cyberseclabs.org/best-fido2-hardware-security-token/
74. https://www.pcmag.com/picks/best-hardware-security-keys
75. https://www.idmanagement.gov/playbooks/altauthn/
76. https://jumpcloud.com/blog/totp-mfa
77. https://www.nytimes.com/wirecutter/reviews/best-security-keys/
78. https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/
79. https://nordlayer.com/blog/cybersecurity-statistics-of-2024/