Multi-factor authentication used to be the gold standard for protecting business accounts. Add a second step beyond the password, and you stop most attackers cold. That's still true — but it's no longer the whole story.

Over the past 18 months, attackers have figured out how to bypass standard MFA at scale. If you're still relying on push notifications or six-digit codes as your only safeguard, your accounts are more exposed than you think.

How attackers get past MFA today

Three patterns account for most modern MFA bypass attempts:

• MFA fatigue (push bombing). The attacker has your password and just keeps sending MFA push notifications until you tap "approve" — out of habit, out of confusion, or just to make your phone stop buzzing at 2 AM.
• Adversary-in-the-middle phishing. A fake login page proxies your real login in real time. You type your password, you approve your MFA push on your real device, and the attacker captures the session cookie. Your second factor worked perfectly — for them.
• SIM swap and SMS interception. SMS codes are still the most common second factor, and they're the least secure. A motivated attacker can transfer your phone number to their device in under an hour.

None of these are theoretical. They're the techniques driving most account compromises we see across our client base today.

What actually works in 2026

The good news: there are concrete steps that materially close these gaps. Most take less than a day to roll out.

1. Use phishing-resistant MFA where it matters. For email, financial systems, and admin accounts, move from push or SMS to a hardware security key (YubiKey, Feitian) or a passkey. Both use cryptographic proof tied to the real domain — they don't get fooled by a lookalike login page.
2. Turn off SMS as a fallback. If SMS is available as a backup, attackers will use it. Disable it. Keep one or two emergency recovery codes printed and stored physically.
3. Enforce number matching for push approvals. Microsoft, Google, and Duo all support requiring the user to type a number shown on screen into the prompt. This single change kills 99% of push fatigue attacks.
4. Set sign-in risk policies. Conditional access rules that block logins from unfamiliar countries, impossible-travel patterns, or risky IPs catch most adversary-in-the-middle attempts before they finish.
5. Train your team on what they shouldn't approve. Most successful MFA bypasses end with a real person tapping "yes" on a push they didn't initiate. Five minutes of awareness training is one of the highest-ROI security investments you can make.

Where to start this week

If you only do one thing: turn on number matching for push approvals across Microsoft 365 or Google Workspace. It's free, it takes 15 minutes, and it eliminates the most common active threat against your team's accounts.

If you want a deeper review of where your MFA setup stands today, that's the kind of thing we look at for clients as part of our regular security reviews.

Has your team had any close calls with MFA fatigue or fake login pages? What did you change after?