Remote & on-site IT support across Australia & New Zealand · 24/7 emergency line

MFA Isn’t Bulletproof: How Attackers Get Past It

smartphone login security two factor authentication cybersecurity
Image: www.bleepingcomputer.com

Most businesses now use multi-factor authentication (MFA) – the code or app prompt you approve after typing your password. It is one of the best security steps you can take, and we recommend it to every client. But a worrying trend has surfaced: attackers are finding ways to get past MFA without ever stealing your password.

Security researchers are highlighting techniques like “device code phishing”, where a scammer tricks an employee into approving a login that the attacker started. The victim thinks they are signing in to a legitimate Microsoft or Google service. Instead, they are handing the attacker a valid, MFA-approved session straight into your email, files and accounts. No password theft required, and the login can look completely normal in your security logs.

This matters because MFA can create a false sense of safety. It is still essential – but it is not a set-and-forget shield. The good news is that a few practical steps close most of the gap.

  • Train your team to pause. If an MFA prompt or login request appears that nobody started, deny it and report it. Attackers rely on people approving prompts on autopilot.
  • Move to phishing-resistant MFA. App-based number matching or hardware security keys are far harder to trick than a simple “approve” tap or an SMS code.
  • Watch for unusual logins. Sign-ins from new countries, odd hours or unfamiliar devices are red flags worth alerting on.
  • Limit the damage. Make sure staff only have access to what they need, so one compromised account does not open every door.

You do not need to be a specific target to be a victim – many of these attacks are automated and hit small and medium businesses every day. A quick review of how your MFA is set up can make a real difference.

Worried this affects your business? Get a free 15-minute IT check – call Trends IT on 0485 011 911 or visit /contact/.

Sources

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top