MFA was the right answer until attackers found reliable ways around every common form of it. SMS codes can be SIM-swapped. TOTP codes can be phished in real time. Push notifications can be fatigue-attacked. The only MFA forms that resist all three are cryptographic and hardware-bound, or their software equivalent.
Analysis Briefing
- Topic: MFA bypass methods and phishing-resistant authentication
- Analyst: Mike D (@MrComputerScience)
- Context: A collaborative deep dive triggered by a reader question
- Source: Pithy Cyborg
- Key Question: Which MFA form actually stops account takeovers in 2026?
The Four MFA Bypass Methods in Active Use Today
Not all bypass methods require the same attacker effort. They run from targeted and labor-intensive to fully automated and scalable.
SIM swapping social engineers mobile carrier support into transferring your phone number to an attacker-controlled SIM. All SMS verification codes go to the attacker. Your phone loses service. The attacker resets passwords before you realize what happened. This requires direct attacker effort but is well-documented and frequently succeeds.
Real-time phishing proxies like Evilginx sit between you and the real login page, capturing your password and TOTP code simultaneously and using them immediately. TOTP-based MFA is fully bypassed by this technique. No carrier involvement required.
MFA fatigue attacks trigger push approval requests repeatedly, sometimes dozens in a row at inconvenient times including late at night. A percentage of victims eventually approve a request to make the notifications stop. Microsoft’s 2022 Lapsus$ incidents and Uber’s September 2022 breach both involved MFA fatigue as a contributing method.
Account recovery paths bypass MFA entirely without attacking it at all. Many services allow password reset via SMS or email. Attackers target recovery rather than MFA directly. This is the lowest-effort path and the one most organizations leave unexamined.
| MFA Method | Primary Vulnerability | Attacker Effort | Reliability in 2026 |
| SMS / Voice | SIM Swapping / Interception | Low (Social Engineering) | Obsolete: Easily bypassed at scale via automated tools. |
| Authenticator Apps (TOTP) | Real-time Phishing Proxies | Medium (Automated Kits) | Weakening: “Evilginx”-style kits make this transparent to the user. |
| Push Notifications | MFA Fatigue / Social Engineering | Medium (Volume Attack) | Unreliable: Depends entirely on human willpower and “alert fatigue.” |
| Passkeys / FIDO2 Keys | Physical Theft of Device | High (Targeted Physical) | Elite: Cryptographically bound to the real domain; immune to remote phishing. |
| Account Recovery | The “Backdoor” (Email/SMS) | Variable | The Critical Flaw: Can downgrade any of the above if not secured. |
When Upgrading MFA Is the Right First Step
Replacing SMS MFA with an authenticator app does not defeat real-time proxies but eliminates SIM swap vulnerability. It is the right immediate upgrade for any account that still uses SMS.
Passkeys and hardware security keys are the right upgrade for your highest-value accounts: email, financial institutions, and any account that can reset other accounts. Email is the master key to everything else.
For most individuals, passkeys are the practical path. They are free, built into modern phones and operating systems, and resist the same attacks as dedicated hardware keys. Hardware keys (such as a YubiKey) cost $25 to $60 and require carrying a physical device. Both options provide the same cryptographic protection. Use whichever you will actually deploy consistently.
What Phishing-Resistant MFA Actually Means
Passkeys and hardware security keys implementing FIDO2/WebAuthn are phishing-resistant by cryptographic design. The key performs a challenge-response that is domain-bound: it only works on the legitimate domain it was registered with.
A phishing proxy cannot capture a credential that only works on the real domain. A SIM swap does not affect a cryptographic key. A fatigue attack cannot succeed because there is no push notification to approve.
This is not a configuration setting or a best practice. It is a property of the cryptographic protocol. The protection is structural.
Why Your Account Recovery Path May Undo Your MFA Entirely
MFA protects the front door. Account recovery is the back window. Many services allow you to bypass MFA entirely through a recovery path that sends a code to your phone number or backup email. If either of those is compromised, your MFA is irrelevant.
Audit the recovery settings on your most important accounts. What happens if you click “forgot password”? What secondary email or phone number is listed? When did you last verify those are still yours and still secure?
A strong MFA setup on an account with a weak recovery path is not a strong MFA setup. It is a strong front door with an unlocked window. Attackers target the window because most people never check it. This is the insight that most MFA guidance skips entirely, and it is where a meaningful share of account takeovers actually happen.
What This Means For You
- Replace SMS MFA with an authenticator app on every account that supports it as an immediate first step.
- Enable passkeys on email and financial accounts before anything else. If your device supports passkeys, this is the highest-impact upgrade available to you at no cost.
- Use a hardware security key for accounts where you want the strongest possible protection and are willing to manage a physical device.
- Audit account recovery paths. An MFA-protected account with a weak SMS recovery option is not MFA-protected.
If this was useful, more like it lives at Pithy Cyborg | AI News Made Simple.