Not all MFA is equal: Why you need phishing and fatigue resistant MFA

Implementing MFA should really be a non-negotiable in 2025. But here’s what many organizations don’t realize: checking the MFA box doesn’t automatically make your organization secure. However, MFA isn’t infallible and the type of authentication factor you choose matters just as much as having MFA in the first place.

Some factors offer genuine protection against modern attacks. Others give you a false sense of security while leaving doors wide open for attackers. We’ll break down the most common MFA methods and where they actually stand on the security spectrum.

The MFA security hierarchy: From weakest to strongest

Not all second factors are created equal. Here’s how the most common authentication methods stack up:

SMS-based codes: The weakest link

SMS authentication (where users receive a one-time code via text message) are commonly used. However, this factor sits at the bottom of the security ladder. While it’s obviously better than a passwords alone, SMS codes are vulnerable to several well-documented attacks.

SIM swapping is the biggest threat. Attackers can convince mobile carriers to transfer a victim’s phone number to a SIM card they control. Once they have the number, they receive all SMS codes meant for the victim. This isn’t a theoretical risk – it’s happening regularly. According to the National Fraud Database, SIM-swap fraud jumped by over 1,000% in 2024.

The attack doesn’t require sophisticated technical skills. Social engineering tactics work surprisingly well against carrier customer service teams. Attackers gather personal information from data breaches or social media, then impersonate the victim to request a SIM transfer.

SMS codes are also vulnerable to interception through SS7 protocol exploits, phishing sites that capture codes in real-time, and malware that reads text messages on compromised devices.

Push notifications: Convenient but exploitable

Authenticator apps that send push notifications (like Microsoft Authenticator’s “Approve/Deny” prompts) offer a better user experience than typing codes. Unfortunately, they’ve become a prime target for MFA prompt bombing attacks.

The attack is simple but effective. Attackers who’ve stolen a user’s password trigger multiple authentication requests in rapid succession – sometimes dozens or even hundreds. The victim’s phone buzzes constantly with approval prompts. Eventually, many users either:

• Approve a request accidentally while trying to dismiss notifications
• Approve intentionally just to stop the bombardment
• Contact the help desk, where attackers impersonating the user can manipulate support staff

High-profile breaches at Uber, Cisco, and Rockstar Games all involved MFA prompt bombing. These weren’t small-scale incidents, attackers gained extensive access to corporate networks by exploiting this single weakness.

The problem stems from how push notifications work. They don’t verify what the user is actually approving. There’s no context about the authentication request, no number matching, and no way to confirm the request is legitimate.

Time-based one-time passwords (TOTP): A solid option

Authenticator apps that generate rotating numeric codes (like Google Authenticator or Microsoft Authenticator in TOTP mode) offer significantly better security than SMS or simple push notifications.

TOTP codes are generated locally on the user’s device using a shared secret. They’re not transmitted over cellular networks, so they can’t be intercepted through SIM swapping. The codes expire quickly (typically within 30 seconds) limiting the window for attackers to use stolen codes.

However, TOTP isn’t immune to phishing. Attackers can create convincing fake login pages that capture both passwords and TOTP codes, then immediately use them on the real site. Since codes remain valid for 30 seconds, this attack works if executed quickly.

Despite this limitation, TOTP represents a meaningful security improvement over SMS and basic push notifications. It’s widely supported, relatively user-friendly, and blocks many common attack vectors.

Hardware security keys: Phishing-resistant protection

Hardware security keys using FIDO2/WebAuthn standards represent the gold standard for MFA. These physical devices (like YubiKeys or Google Titan keys) provide phishing-resistant authentication that stops even sophisticated attacks.

Here’s why they’re so effective: hardware keys use cryptographic verification tied to specific domains. When you authenticate to your company’s login page, the key verifies it’s talking to the legitimate domain before responding. If an attacker creates a perfect phishing page at a slightly different URL, the key simply won’t work – there’s no code to steal, no prompt to approve, nothing to intercept.

This domain binding makes hardware keys resistant to man-in-the-middle attacks, phishing, and prompt bombing. Even if attackers have your password, they can’t access your account without physical possession of your hardware key. The drawbacks are cost and logistics. Organizations need to purchase keys for all users, distribute them, and have backup procedures for lost or forgotten keys.

Why phishing-resistant factors matter

The security industry is moving away from the term “multi-factor authentication” and toward “phishing-resistant MFA” when discussing truly secure implementations. There’s a good reason for this shift.

Most MFA breaches don’t involve breaking the authentication factor itself – they involve tricking users or exploiting how factors are implemented. Phishing-resistant factors are designed specifically to resist these social engineering and credential theft attacks.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

CISA (Cybersecurity and Infrastructure Security Agency) now recommends phishing-resistant MFA for all federal agencies. The Office of Management and Budget requires it for federal systems. These mandates reflect a clear understanding: traditional MFA methods aren’t enough against today’s threats.

Strengthen your MFA implementation

Specops Secure Access helps organizations implement strong, phishing-resistant authentication with support for hardware security keys, advanced authenticator features, and granular access policies. Don’t let weak MFA factors become your security blind spot. Book a live demo of Specops Secure Access.

Having MFA is a great start, but the strength of your authentication factors determines how well you’re actually protected. Organizations that rely on SMS codes or basic push notifications remain vulnerable to attacks that bypass these weaker factors.