Multi-factor authentication has been a cornerstone of business cybersecurity for over a decade. But the MFA methods most companies still rely on — SMS codes and push notifications — are now routinely defeated by attackers. If your organization still treats a six-digit text message as strong security, it’s time to reconsider.
The threat landscape has evolved. So must your authentication strategy.
What Is Multi-Factor Authentication and Why Does It Matter?
Multi-factor authentication (MFA) requires users to verify their identity using two or more independent factors before accessing an account or system. These factors typically fall into three categories: something you know (a password), something you have (a phone or security key), and something you are (a fingerprint or face scan).
MFA remains one of the most effective security controls available. Microsoft’s research has consistently shown that MFA blocks over 99% of automated credential-stuffing attacks. The Cybersecurity and Infrastructure Security Agency (CISA) lists MFA as a foundational element of its cybersecurity guidance for critical infrastructure.
The problem isn’t MFA itself — it’s that the most common forms of MFA are now vulnerable to well-known attack techniques.
Why Are SMS Codes No Longer Considered Secure?
SMS-based authentication sends a one-time code to your phone via text message. While this was a significant improvement over passwords alone when it became widespread in the early 2010s, SMS has several fundamental weaknesses that attackers now exploit regularly.
SIM swapping is the most well-known vulnerability. An attacker contacts your mobile carrier, impersonates you using personal information gathered from data breaches or social engineering, and convinces the carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive all your SMS codes. The FBI’s Internet Crime Complaint Center (IC3) reported that SIM-swapping complaints increased significantly between 2018 and 2023, with losses exceeding $68 million in 2023 alone.
SS7 protocol exploitation is another concern. The Signaling System 7 protocol that routes text messages between carriers was designed in the 1970s and lacks modern encryption. Sophisticated attackers — including nation-state groups — have demonstrated the ability to intercept SMS messages by exploiting SS7 vulnerabilities.
Real-time phishing proxies represent perhaps the most dangerous threat. Tools like Evilginx and Modlishka sit between a user and a legitimate login page, capturing both the password and the SMS code as the user enters them, then replaying those credentials instantly. The user sees a normal login experience while the attacker gains full access.
NIST Special Publication 800-63B has classified SMS as a “restricted” authenticator since 2017, recommending organizations transition to stronger methods.
What Is an MFA Fatigue Attack and How Does It Work?
MFA fatigue — also called MFA bombing or push notification spam — targets the push-based authentication that many businesses adopted as a step up from SMS. In this attack, a threat actor who already has a user’s password triggers repeated login attempts, each sending a push notification to the user’s phone.
The user receives a flood of “Approve this login?” prompts. Eventually, out of frustration, confusion, or simply to make the notifications stop, they tap “Approve.” The attacker is in.
This technique was used in the high-profile 2022 Uber breach, where a teenage hacker reportedly gained access to internal systems after an employee approved a push notification following repeated prompts. Cisco’s Duo Security and other authentication providers have since added number-matching and additional context to push notifications, but the fundamental vulnerability remains: any authentication method that relies on a human making a quick approve/deny decision under pressure can be socially engineered.
What Is Phishing-Resistant MFA?
Phishing-resistant MFA refers to authentication methods that are cryptographically bound to the legitimate website or service, making them immune to real-time phishing proxies and social engineering. Even if an attacker sets up a perfect replica of your login page, phishing-resistant MFA simply won’t work on the fake site.
The two primary phishing-resistant MFA standards are:
FIDO2/WebAuthn is an open authentication standard developed by the FIDO Alliance and the World Wide Web Consortium (W3C). When you register a FIDO2 credential with a website, your device creates a unique cryptographic key pair. The private key never leaves your device. During authentication, the device signs a challenge from the server that includes the website’s origin (domain name). If you’re on a phishing site with a different domain, the signature won’t match and authentication fails — automatically, with no user decision required.
Passkeys are the consumer-friendly evolution of FIDO2. Introduced by Apple, Google, and Microsoft starting in 2022, passkeys store FIDO2 credentials in your device’s secure enclave and sync them across your devices via your platform account. They combine the security of FIDO2 with the convenience users expect — no separate hardware token required, and authentication typically uses a fingerprint or face scan.
Hardware security keys from manufacturers like Yubico (YubiKey) and Google (Titan) provide FIDO2 authentication in a physical device. These are particularly valuable for high-risk accounts — IT administrators, executives, and finance teams — where the cost of compromise is highest.
How Do Businesses Transition from SMS to Phishing-Resistant MFA?
Migrating an entire organization away from SMS-based MFA is a process, not a switch you flip overnight. Here’s a practical approach that works for businesses of all sizes:
Step 1: Audit Your Current Authentication Landscape
Start by documenting every system and application that uses MFA, what type of MFA each supports, and which users access which systems. Many businesses discover they have a patchwork of authentication methods across different platforms — SMS for some, authenticator apps for others, and nothing at all for a surprising number of shadow IT tools.
Step 2: Prioritize High-Value Targets
Not every account carries the same risk. Begin your migration with the accounts where a breach would cause the most damage: email platforms (Microsoft 365, Google Workspace), financial systems, remote access tools (VPNs, RDP), and IT admin accounts. These should move to FIDO2 or passkeys first.
Step 3: Deploy Hardware Keys for Privileged Users
IT administrators, C-suite executives, and anyone with access to financial systems or sensitive data should receive hardware security keys. A YubiKey costs between $25 and $75 per unit — a negligible expense compared to the average cost of a data breach, which IBM’s 2024 Cost of a Data Breach Report placed at $4.88 million globally.
Step 4: Enable Passkeys for the Broader Workforce
For the general employee population, passkeys offer the best balance of security and usability. Microsoft Entra ID (formerly Azure AD), Google Workspace, and most modern identity providers now support passkey enrollment. Users authenticate with a fingerprint or face scan — something they already do to unlock their phones.
Step 5: Establish Conditional Access Policies
Modern identity platforms allow you to create policies that require phishing-resistant MFA for specific scenarios: accessing sensitive data, logging in from unfamiliar locations, or performing privileged operations. This layered approach means you can enforce the strongest authentication where it matters most while maintaining usability elsewhere.
Step 6: Phase Out Legacy Methods
Once your phishing-resistant methods are established and users are comfortable, begin deprecating SMS and basic push notifications. Set a firm deadline, communicate it clearly, and provide support resources for stragglers. Many organizations find that a 90-day transition period works well.
What Compliance Frameworks Require Strong MFA?
Multiple regulatory and industry frameworks now specifically call out the need for strong or phishing-resistant MFA:
- CISA’s Zero Trust Maturity Model explicitly recommends phishing-resistant MFA as a requirement for the “Advanced” and “Optimal” maturity levels.
- The FTC Safeguards Rule, updated in 2023, requires financial institutions to implement MFA for accessing customer information. Dealerships and auto finance companies fall under this rule.
- PCI DSS 4.0, effective March 2025, strengthened MFA requirements for access to cardholder data environments.
- Cyber insurance providers increasingly require MFA as a condition of coverage, and many are beginning to specify that SMS-based MFA does not satisfy their requirements.
For businesses in regulated industries — including automotive dealerships that handle customer financial data — upgrading to phishing-resistant MFA isn’t just good security practice. It’s increasingly a compliance obligation.
What Role Does a Managed Service Provider Play in MFA Deployment?
Implementing phishing-resistant MFA across an organization involves identity provider configuration, device management, user training, conditional access policies, and ongoing monitoring. For businesses without a large in-house IT team, a managed service provider (MSP) brings the expertise and tooling to handle this efficiently.
At COMNEXIA, we’ve spent 35 years helping businesses in the Atlanta area and beyond build security infrastructure that actually works. Our cybersecurity services include identity and access management, and our cloud solutions team handles the Microsoft 365 and Azure configurations that underpin modern authentication.
The key advantage of working with an experienced MSP is that MFA deployment doesn’t happen in isolation — it needs to integrate with your existing directory services, VPN, remote desktop, line-of-business applications, and endpoint management. Getting any one of those wrong creates gaps that attackers will find.
Frequently Asked Questions
Is SMS-based MFA better than no MFA at all?
Yes, absolutely. SMS MFA still blocks the vast majority of automated attacks and opportunistic credential stuffing. If your only alternative is passwords alone, keep SMS MFA enabled while you plan your migration to stronger methods. The goal is improvement, not perfection overnight.
How much do hardware security keys cost for a business?
Hardware security keys typically cost $25 to $75 per unit depending on the model and features. For a 50-person company deploying keys to all employees, the total hardware cost would be $1,250 to $3,750 — often less than a single day of incident response costs during a breach.
Do passkeys work with Microsoft 365 and Google Workspace?
Yes. Microsoft Entra ID has supported FIDO2 security keys since 2019 and passkeys since 2024. Google Workspace added passkey support in 2023. Both platforms allow administrators to require phishing-resistant MFA through conditional access policies.
What happens if an employee loses their security key?
Organizations should issue two keys per user — a primary and a backup — or configure a secure recovery process. Most identity providers support temporary access codes that an IT administrator can issue while a replacement key is provisioned. The recovery process should itself require identity verification to prevent social engineering.
Can phishing-resistant MFA be bypassed?
No authentication method is theoretically unbreakable, but FIDO2 and passkeys are immune to the most common attack vectors: phishing, SIM swapping, MFA fatigue, and credential replay. Known attack paths against FIDO2 require physical access to the user’s device or compromise of the device’s secure enclave — significantly raising the bar for attackers compared to SMS or push-based MFA.