The End of the MFA Myth

Executive Summary

Multi-Factor Authentication has long been positioned as a cornerstone of cybersecurity. The emergence of real-time phishing attacks is dismantling this position.

The Rise and Success of MFA

MFA implementations have reportedly blocked over 99% of traditional phishing attacks targeting account takeovers. This success created a dangerous perception: MFA equates to security. The operative word is "conventional." Traditional phishing collected credentials for delayed unauthorized access — and the time gap was the defense. Real-time phishing eliminates the time gap.

The Emergence of Real-Time Phishing

During the 2020s, attackers developed real-time phishing using Adversary-in-the-Middle (AiTM) techniques. The victim completes a legitimate authentication flow. The attacker observes all of it in real time and hijacks the session at the moment it is established.

Why MFA Is Being Bypassed

The root cause is structural. Most widely-used MFA factors are transferable information — they can be relayed from the victim to the attacker without modification. Passwords, SMS OTPs, TOTP codes, push notifications — all transferable. Only FIDO2/Passkeys and TPM-stored certificates are genuinely non-transferable.

The Blind Spot of Zero Trust

Zero Trust cannot distinguish a legitimate session establishment from a proxied one when the proxy is transparent. In real-time phishing, all verifications pass because attackers proxy the legitimate victim.

Non-Transferable Authentication Factors

Switching to non-transferable information provides the most fundamental countermeasure: FIDO2/Passkeys (private key never leaves device), TPM-stored certificates (bound to hardware), device-specific hardware attestation, and live biometrics.

Conclusion

The end of the MFA myth is also the beginning of a new authentication paradigm.