This post was first published in 2023 and has been updated.
Some of the biggest data breaches in recent memory evaded multi-factor authentication (MFA). That does not mean MFA is ineffective. It means attackers often bypass MFA by targeting the gaps around authentication rather than the factor itself.
Whether it was by attacking how MFA was configured, prompt-bombing users, or attacking sub-contractors, threat actors found ways to attack weak points in the identity lifecycle, exfiltrate data, and reveal why MFA must be your first line of defense, but not your last.
That is the central lesson for security teams. MFA still matters, but it works best as part of a broader identity security strategy.
Attackers use different methods depending on the environment, but several patterns appear again and again.
MFA fatigue and prompt bombing
One common tactic is MFA fatigue, also called prompt bombing. Attackers repeatedly send approval requests until a user accepts one by mistake or out of frustration. This approach works best when users are distracted, rushed, or uncertain whether the prompt is legitimate.
That is one reason user education still matters. People need to know that an unexpected prompt should be treated as a warning sign, not a routine login step.
Weak MFA configuration
MFA is only as strong as its implementation. If administrators leave gaps in policy, enrollment, fallback methods, exception handling, or step-up requirements, attackers will look for them. In many cases, the weakness is not the factor itself. It is the way the factor was deployed.
Third-party and contractor exposure
Attackers also target suppliers, contractors, and partners with access to internal systems. A strong control can still fail if a third-party identity is overprivileged, poorly monitored, or weakly governed. Identity risk does not stop with employees.
Fail-open architecture
A “fail open” system is one that defaults to open when standard operating controls are non-functional. That principle can make sense in physical security, but it introduces serious risks when it comes to securing digital access.
If a system loses contact with a cloud-based MFA service and defaults to granting access, attackers can exploit that condition to bypass MFA entirely.
Identity lifecycle gaps
Authentication is only one part of identity security. Threat actors know that there’s more to identity than managing identity. They look for weaknesses in provisioning, recovery, delegated administration, third-party access, and entitlement governance.
The biggest lesson from these attacks is not that MFA failed. The lesson is that identity defenses need to extend beyond the login screen.
When organizations focus only on the authentication event, they leave other high-value areas exposed. Recovery workflows, policy exceptions, offline access, privileged roles, and excessive entitlements can all become attack paths.
For example, provisioning access is not enough: organizations should start by asking does the user need access? If so, for how long? Have we provided them with too much access or just enough? How would we even know? Those are practical security questions that directly affect breach risk.
Organizations that want to reduce MFA bypass risk need stronger visibility across the full identity lifecycle. That means understanding not only who can log in, but also why they have access, what they can reach, and how those permissions change over time.
The best defense is not a single factor or a single product. It is a layered approach that closes the gaps attackers rely on.
Strengthen authentication options
Not all authentication methods provide the same level of protection. With options like Apple Face ID becoming nearly ubiquitous for mobile users, biometrics are a popular form of passwordless authentication, but certainly not the only one. Organizations should evaluate stronger options that can reduce exposure to phishing and replay-based attacks. Prioritize a range of passwordless solutions that can support every user, in every environment, every time.
Reduce reliance on user guesswork
Push-based MFA is convenient, but convenience can create risk when users are expected to interpret unexpected prompts in the moment. The more an authentication flow depends on user judgment under pressure, the more vulnerable it can become.
That is why organizations should pair stronger authentication with security awareness, adaptive policy controls, and monitoring for suspicious approval patterns.
Plan for failure scenarios
This is one of the clearest takeaways from these breaches. There are a few ways these attacks could have been avoided without locking users out of the system. The first is to employ a hybrid authentication system that can fall back to a local on-prem node in the case of an Internet failure. The second is to employ an authentication system that can be validated offline.
In high-assurance environments, resilience matters, but so does failure behavior. Security teams should know exactly what happens when upstream services are unavailable.
Improve identity visibility
Identity security requires more than verifying a factor. It also requires insight into access, entitlements, lifecycle changes, and risk signals across users and systems. Without that visibility, organizations may secure authentication while still leaving critical assets exposed.
Passwordless authentication can help reduce MFA bypass risk by moving organizations away from phishable credentials and fragile login flows.
Whether it’s biometrics, FIDO2, QR codes, BLE, NFC, or other passwordless form factors, organizations should use solutions that can support a range of mixed environments, applications, and user groups.
Passwordless is not just about convenience. It can also reduce reliance on passwords, which remain one of the most commonly exploited entry points in identity attacks.
OTP and FIDO authenticators each have their unique benefits. Some are better suited to modern browser-based authentication, while others offer broader coverage across legacy and hybrid environments. When comparing OTP and FIDO, however, the best answer is usually an “AND.” Many organizations need both flexibility and stronger assurance.
MFA must be your first line of defense, but not your last. To reduce the risk of MFA bypass, organizations need stronger authentication options, resilient architecture, and better visibility across the full identity lifecycle.
With RSA ID Plus, organizations can support passwordless and hybrid authentication, strengthen protection for modern and legacy environments, and build a more resilient identity security strategy. Learn how RSA ID Plus can help defend against the gaps attackers target when MFA stands alone.
MFA is a critical security control that works best when it’s deployed as part of a broader identity security strategy. We explored several of the common ways attackers bypass MFA, including prompt bombing, weak configuration, third-party exposure, and gaps across the identity lifecycle in our webinar, Anatomy of the Attack: The Rise & Fall of MFA, which prompted thoughtful follow-up questions from attendees. The FAQs below address some of the most important questions that came out of that conversation.
Q: Would you agree with Microsoft that the Windows Hello PIN is more secure than a password for gaining access to your workstation?
A: This is a fascinating question that will be debated for many years to come. Passwords and PINs both fall into the authentication category of “something you know” and are therefore susceptible to phishing attacks. Compared to passwords, PINs are generally shorter in length and use a restricted character set. So from an entropic perspective, PINs are weaker than passwords—i.e., the greater the number of potential choices, the harder a password or PIN will be to brute force.
But that’s only part of the story. Unlike passwords, PINs (or at least PINs as defined by NIST SP800-63) are locally validated. This means that they are never transmitted or stored in a centralized repository. This makes PINs far less likely to be intercepted or stolen in a smash-and-grab attack.
As is often the case, environment, configuration, and user education tend to have a bigger impact on your overall cybersecurity posture than protocols or technologies.
Q: Can you provide a little more detail on offline authentication options to avoid the fail open issue. Examples of architecture or product offerings?
A: A “fail open” system is one that defaults to open when standard operating controls are non-functional. While this is an important safety principle in physical security (e.g., in the event of a fire, all exterior doors should immediately unlock), it is not so great when protecting access to your critical assets.
In the NGO use case, attackers gained access to the asset by preventing the local system from communicating with the cloud-based MFA provider, effectively bypassing the MFA control. This was possible because the identity solution in place defaulted to a “fail open” security posture).
There are a few ways this could have been avoided without locking users out of the system. The first is to employ a hybrid authentication system that can fall back to a local (on-prem) node in the case of an Internet failure. The second is to employ an authentication system that can be validated offline. RSA ID Plus supports both options.
Q: Which is the best IDP (Identity Provider) in your point of view?
A: If I answer anything other than ‘RSA ID Plus’, I’m pretty sure that I will lose my job.
But in all seriousness, there are several things that I would look for. First, does the vendor have a proven track record? Second, is Identity core to their business or just one of many things they do? Third, does the vendor prioritize convenience over security in making design decisions? Fourth, does the solution offer the flexibility to support a broad set of users and use cases, including those hairy legacy apps in the bowels of your datacenter? And finally, when things do go wrong (and they will) does the vendor own up with full transparency or do they obfuscate and blame shift?
Security isn’t easy and threat actors target identity more than any other part of the attack surface. Organizations need IDPs that understand that.
Q: How reliable are the current ZTNA solutions offered by security vendors?
A: Zero Trust Network Access (ZTNA) is a concept based on the principle that trust should never be assumed based solely on a user’s connection to the local intranet—users must be continuously authenticated, they must have permission to access a specific resource, and they must also have a valid reason for doing so.
While there are many “Zero Trust” products on the market today, it is important to note that ZTNA is a conceptual framework and a set of best practices. How you employ the technology, define your policies, and manage your ecosystem will determine your ZTNA posture. Technology can certainly help, but if any vendor tells you that their product will make you ZTNA compliant, go find somebody else.
If you’d like to learn more about Zero Trust, I recommend starting with the seven principles of Zero Trust defined in NIST SP800-207.
Q: Is passwordless based entirely on biometrics? What other methods can be used, how is AI being used in authentication?
A: With options like Apple Face ID becoming nearly ubiquitous for mobile users, biometrics are definitely a popular form of passwordless authentication, but certainly not the only one. FIDO2 is an increasingly common choice for both consumer and enterprise use cases. Contactless methods like QR code, BLE, and NFC are also in use, though to a lesser extent. Increasingly, AI principles such as smart rules, machine learning, and behavioral analytics are being used to further augment identity confidence as invisible factors of authentication that introduce little or no end-user friction. RSA ID Plus supports all these options today.
Q: What is the future of Identity & Access Management?
A: I think these three attacks all demonstrate that “Identity & Access Management” is, if not an outdated term, then maybe an insufficient one.
These attacks underscore that we need to secure identities, not just manage them. For example, provisioning access is not enough: we should start by asking ‘does the user need access?’ If so, for how long? Have we provided them with too much access or just enough? How would we even know? In too many cases, I don’t think admins would know one way or another—or even how to find out.
Threat actors know that there’s more to identity than managing identity. The attacks that I reviewed demonstrate how cybercriminals attack the gaps that IAM doesn’t account for. I think organizations’ understanding of identity needs to expand to account for and secure the full identity lifecycle.
On a more technical level, I think AI will have a big role to play in processing the enormous amounts of authentication, entitlement, and usage data. Having an intelligent platform that can assess fine-grained data quickly and at scale can be a real asset in keeping organizations secure.
Q: How would you compare SecurID with YubiKey?
A: SecurID and YubiKey are each class-leading authenticators in their respective categories. And the good news—RSA ID Plus supports both (among many other authentication options).
Stepping back from vendor specifics, OTP and FIDO authenticators each have their unique benefits. While FIDO is growing in popularity as a secure and convenient option for web-based logins, software-based FIDO options still have limited versatility, hardware devices often require a physical connection, and true support for FIDO beyond the web browser is nearly non-existent. Meanwhile, OTP has the advantage of working just about anywhere—on hardware or on software—without any specialized client software or physical connection required.
When comparing OTP and FIDO, however, the best answer is usually an ‘AND’. Hybrid devices like the RSA DS100 authenticator combine the best of both worlds, offering OTP and FIDO2 in a single form factor to provide maximum flexibility and breadth of support. RSA also supports the iShield Key 2 series, which delivers hardware-backed authentication validated against the highest security benchmarks. Certified under FIPS 140-3 and FIDO2, it aligns with frameworks including FedRAMP, NIST, DORA, NIS2, HIPAA, and PCI DSS.
