Why MFA Didn't Solve Phishing — and What It Actually Did
By Domenic DiNatale
If you've sat through a security briefing in the last decade, you've heard some version of this claim: multi-factor authentication stops the majority of account compromise attempts. The statistic is real. The inference organizations draw from it is not.
MFA does raise the cost of unauthorized access significantly — for a specific class of attacks. The mistake is concluding that raising the cost of entry means the problem is solved. That the chapter is closed. The control is deployed. The risk is residual.
Phishing campaigns adapted within months of widespread MFA adoption. The technique changed; the outcome didn't. Organizations that deployed MFA in good faith, believing it addressed their credential exposure, continued to experience incidents. The breaches looked different — adversary-in-the-middle proxies instead of replayed passwords — but the result was the same: an attacker inside the environment with valid credentials and inherited trust.
Understanding why requires being precise about what MFA actually solves, and what it never claimed to solve in the first place.
What MFA Was Designed to Do
Multi-factor authentication was designed to solve a specific problem: credential replay. If an attacker captures a username and password, MFA ensures that knowledge of those credentials is insufficient to authenticate. A second factor — something you have, something you are — has to be present at the time of authentication.
This is genuinely useful. It raises the cost of credential stuffing, brute-force attacks, and phishing where an attacker harvests credentials and logs in later. For those attack patterns, MFA works as advertised.
The problem is that these attack patterns represent only one phase of a multi-phase problem.
MFA addresses the authentication event. It has nothing to say about what happens after the authentication event. The session that follows a successful MFA challenge carries the same trust level as any other session. The system verified the user's identity at the door. It doesn't track what happens after they walk in.
The Authentication Event vs. the Session
There's a conceptual gap at the center of how most organizations think about MFA that doesn't get examined often enough.
Authentication and session persistence are different things with different risk profiles. MFA improved authentication security — it made the initial verification harder to circumvent. But it did nothing to change the security properties of what follows: a token, a cookie, a session object that represents a trust assertion the system won't revisit for its entire lifetime.
A session token granted after a successful MFA challenge is, from the system's perspective, indistinguishable from a session token that an attacker obtained by sitting between the user and the authentication endpoint, accepting the MFA challenge transparently, and capturing the resulting token.
That's not a hypothetical attack pattern. It's what real-time phishing proxies do. The user authenticates against a spoofed page. The proxy forwards the credentials and the MFA response to the legitimate service. The service issues a session token. The proxy passes it to the attacker. The attacker now has a valid, post-MFA session — with no further obstacles.
MFA wasn't bypassed by defeating the cryptographic properties of a time-based one-time password. It was bypassed by accepting the way the system was designed to work and exploiting the gap between the authentication event and the session lifecycle.
The Post-Authentication Blindspot
The more significant issue isn't that MFA can be bypassed for sophisticated adversaries. It's that deploying MFA gave organizations confidence to stop asking questions about post-authentication risk.
When MFA adoption became the benchmark for "doing authentication right," it shifted attention away from what happens after a successful login. The internal discussion changed from "how do we know who's doing what?" to "we have MFA, we're covered." The risk model collapsed what should have been a multi-layer question into a single binary: MFA enabled or not.
This is the architectural mistake that matters. Not that MFA fails under specific attack conditions — that's a technical limitation with documented workarounds. The mistake is treating MFA as a sufficient answer to a question that MFA can't fully answer.
Post-authentication risk is fundamentally different from pre-authentication risk. Before authentication, the question is: is this person who they claim to be? After authentication, the question is: is this session behaving consistently with the identity it represents? MFA answers the first question reasonably well. It has no mechanism to address the second.
The attacker who steals a post-MFA session token doesn't need to defeat authentication at all. They inherit a trust assertion and then spend it — slowly, deliberately, in ways that match the victim's access scope. Each action passes authorization checks because it would pass those checks for the legitimate user too. Nothing in the architecture is designed to notice the difference.
What MFA Actually Did
To be fair to the control: MFA did accomplish something real. It shifted the attack surface.
Before MFA, credential stuffing and password spray attacks were highly scalable. A database of leaked credentials could be tested against any service where a user had reused a password. MFA broke that economics. Attackers who relied on automated credential reuse moved on to techniques that bypassed MFA or targeted post-authentication sessions directly.
This is progress. But it's progress that created a false ceiling. Organizations measured success by the attacks that stopped working. They didn't adequately model the attacks that adapted.
What MFA actually did, at a systems level, is raise the cost of one attack class while leaving adjacent attack classes untouched. It was a constraint that shaped attacker behavior — toward more targeted, more patient, more sophisticated techniques. Adversary-in-the-middle toolkits, session token harvesting, browser-in-the-browser phishing, OAuth abuse — these aren't novel ideas that appeared after MFA. They're adaptations to it.
Architecture should be evaluated not just for the threats it stops, but for the threats it shifts toward. MFA shifted the attack surface toward post-authentication exploitation and toward higher-sophistication pre-authentication bypass. Whether that tradeoff was acknowledged at deployment is one question. Whether it's acknowledged now is the actionable one.
Where Leaders Overestimate It
The pattern shows up in tabletop exercises, audit responses, and vendor conversations: "We have MFA enabled." Full stop. Presented as if MFA is a system state rather than a control with specific scope and specific limitations.
The overestimation is understandable. MFA adoption rates became the metric. "Percentage of accounts with MFA enabled" became a KPI in security programs across the industry. When a metric becomes a target, organizations optimize for the metric. The underlying risk question — what does our architecture look like after a successful login? — stops generating the same urgency because the KPI is green.
Leaders who want to diagnose this in their own organizations can ask a simple question: If an attacker obtained a valid session token right now, how long would it take us to detect them?
Not "is MFA enabled?" Not "how many accounts are covered?" How long until detection — measured in hours or days — from the moment a valid post-authentication session is in the wrong hands?
Most organizations don't have a concrete answer. Some have never asked the question. That gap is the actual risk exposure — not the percentage of accounts covered by MFA.
The Architectural Implication
MFA is a control designed for the authentication event. The authentication event is the beginning of a user interaction, not the whole of it.
What follows the authentication event — the session, the granted trust level, the permissions inherited by the token, the behavior of the system when that token is used in unexpected ways — is an architectural question that MFA doesn't touch.
We've looked in previous posts at how authentication, treated as a one-time conclusion rather than a continuous signal, creates the structural conditions for lateral movement and prolonged undetected access. MFA doesn't change that structural condition. It changes what an attacker has to do to obtain initial access. It doesn't change what the attacker can do once they have it.
The fix that matters isn't deploying MFA — most environments already have it. It's designing systems that don't issue trust once and never revisit it. Systems that maintain some model of expected behavior per identity. Systems that can graduate their response to divergent signals rather than making a binary allow/deny decision at the front door and disengaging.
MFA was the right answer to the problem it was designed to solve. The mistake was believing that the problem it was designed to solve was the whole problem.
It was the first step. Most organizations stopped there.