The End of the MFA Myth
Real-time phishing dismantles the MFA myth. If authentication relies on transferable information, the boundary does not exist.
Editor’s Note:
This essay applies the Superasystem doctrine to modern authentication.
The conclusion is structural, not operational:
as long as authentication relies on transferable information,
real-time adversaries will bypass it.
Executive Summary
Multi-Factor Authentication (MFA) has long been positioned as a cornerstone of cybersecurity. However, the emergence of real-time phishing attacks is dismantling this myth. This report provides a technical analysis of why MFA is ineffective against real-time attacks and proposes a fundamental shift in authentication design.
The core conclusion: “As long as authentication relies on transferable information, this problem cannot be solved.” This report argues that a combination of physical route protection and non-transferable authentication factors is essential.
1. The Rise and Success of MFA
Multi-Factor Authentication (MFA) emerged as an effective countermeasure against the vulnerabilities of password-only authentication, gaining rapid adoption since the 2010s. By combining “something you know,” “something you have,” and “something you are,” MFA significantly reduced the risk of credential theft.
MFA implementations have reportedly blocked over 99% of traditional phishing attacks targeting account takeovers. This success created an industry-wide perception that “MFA equals security.” According to the Microsoft Digital Defense Report 2024, MFA remains one of the most effective defenses against conventional credential attacks.
1.1 Traditional Phishing and MFA
Traditional phishing attacks collected credentials and used them at a later time for unauthorized access. Against this “time-delayed attack,” One-Time Passwords (OTPs) were highly effective because stolen OTPs would expire before attackers could use them.
2. The Emergence of Real-Time Phishing
In the 2020s, attackers developed a new methodology: real-time phishing using Adversary-in-the-Middle (AiTM) techniques. This attack does not “store credentials for later use” but rather “relays them for immediate use”—a fundamental shift in approach.
2.1 Technical Structure of the Attack
The basic structure of real-time phishing works as follows: The attacker positions themselves between the victim and the legitimate service, operating as a reverse proxy server. Credentials entered by the victim on the fake site are immediately forwarded to the real site. Responses from the legitimate site are also relayed to the victim, making the login appear normal.
| Step | Victim Action | Attacker Action | Legitimate Service |
| 1 | Access fake site | Display clone of real site | – |
| 2 | Enter ID/Password | Relay to real site immediately | Receive auth request |
| 3 | Prompted for OTP | Relay response from real site | Send MFA request |
| 4 | Enter OTP | Relay OTP immediately | Auth success, issue session |
| 5 | Perceive login success | Hijack session, execute attack | Process as legitimate user |
Table 1: Real-Time Phishing Attack Flow
2.2 Real-World Incidents
Change Healthcare (2024) – $3 Billion Impact
In February 2024, Change Healthcare, which processes 15 billion medical claims annually (nearly 40% of all U.S. claims), suffered a ransomware attack. The ALPHV/BlackCat group gained access through a Citrix remote access portal that lacked MFA. The breach affected 190 million Americans—over half the U.S. population—and cost UnitedHealth Group over $3 billion. As CEO Andrew Witty testified before Congress: “This particular server did not have MFA on it… the breach was entirely preventable.”
Uber (2022) – MFA Fatigue Attack
In September 2022, the Lapsus$ group breached Uber using an MFA fatigue attack. After purchasing a contractor’s credentials from the dark web, the attacker bombarded the target with MFA push notifications for over an hour. The attacker then contacted the contractor via WhatsApp, posing as Uber IT support, convincing them to approve a request. This granted access to internal systems including G-Suite, Slack, AWS, and the HackerOne bug bounty platform.
Japan Securities Industry (2025) – $710 Million Fraud
Starting February 2025, a massive wave of unauthorized trading hit Japanese brokerages. By June, the FSA reported 7,139 fraudulent transactions totaling ¥571 billion ($710 million). Eight major brokers including Rakuten Securities, SBI Securities, and Nomura reported incidents. Attackers used AiTM phishing and infostealers to capture credentials, then manipulated low-liquidity stocks for profit. Victims, including those with MFA enabled, found their retirement savings liquidated and replaced with worthless penny stocks.
Microsoft 365 OAuth Campaigns (2024-2025)
Since late 2024, sophisticated OAuth device code phishing attacks have targeted Microsoft 365 users across government, NGOs, healthcare, and enterprises. Threat actors including Storm-2372 use tools like SquarePhish and Tycoon 2FA to bypass MFA entirely, capturing session tokens through the legitimate OAuth flow. Microsoft reported over 10,000 organizations were targeted in AiTM campaigns.
3. Why MFA Is Being Bypassed
MFA’s ineffectiveness against real-time phishing stems from a structural problem: most authentication factors used by MFA are “transferable information.”
3.1 The Transferability Perspective
When classifying authentication factors by “transferability,” we find that most widely-used MFA factors are transferable.
| Authentication Factor | Transferable? | Reason |
| Password | Yes | Easily copied as a string |
| SMS OTP | Yes | Can be relayed within validity period |
| TOTP (Auth App) | Yes | Valid for 30 seconds, bypassed via instant relay |
| Push Notification | Yes | Victim approves unknowingly (MFA fatigue) |
| Security Questions | Yes | Answers are transferable |
| Email Link Authentication | Yes | AiTM attack possible at link destination |
Table 2: Transferability of Common MFA Factors
3.2 Limitations of Time-Reduction Approaches
Some financial institutions have attempted to counter real-time attacks by reducing OTP validity periods. For example, certain Japanese brokerages reduced authentication code validity period to 40 seconds. However, this approach has fundamental limitations.
In automated real-time phishing attacks, the time required to relay authentication information is approximately 1-2 seconds. 40 seconds is short for humans but more than sufficient for attackers.
| Validity Period | User Experience | Attack Success | Practicality |
| 60 seconds | Comfortable | Attack succeeds | Good |
| 40 seconds | Somewhat rushed | Attack succeeds | Marginal |
| 20 seconds | Very difficult | Attack succeeds | Poor |
| 5 seconds | Nearly impossible | Somewhat difficult | Unusable |
Table 3: Limitations of OTP Time Reduction
Reducing the validity period to a level that would prevent attacks makes it impossible for normal users to complete authentication. This is a fundamental dilemma that cannot be resolved through time reduction alone.
4. The Blind Spot of Zero Trust
Zero Trust has become the mainstream security architecture in recent years. The principle of “never trust, always verify” is effective against insider threats and lateral movement. However, Zero Trust architecture also has fundamental limitations against real-time phishing.
4.1 What Zero Trust Can and Cannot Protect
Zero Trust is highly effective at “limiting damage after intrusion.” Through least-privilege principles, micro-segmentation, and continuous verification, it can restrict the access scope an attacker can obtain. However, it has no design assumptions for “bypassing authentication process itself.”
| Threat Type | Zero Trust Effectiveness | MitM Defense |
| Insider Threats | Effective (least privilege) | – |
| Lateral Movement | Effective (segmentation) | – |
| Credential Leak (Traditional) | Partial (MFA required) | – |
| Real-Time AiTM Attack | Ineffective (verification relayed) | Required |
Table 4: Scope of Zero Trust Architecture
4.2 Why Zero Trust Is Ineffective Against MitM
Consider the verification process in Zero Trust. The system verifies ID/password, MFA, device information, and other factors to determine “Is this request legitimate?” However, in real-time phishing, all this information is relayed from the victim. Since the attacker is merely “proxying” the victim, all verifications pass.
“Zero Trust is superior to perimeter defense” is correct. However, “Zero Trust can prevent MitM” is incorrect. Many organizations feel secure after implementing Zero Trust, but awareness that separate measures are needed for MitM is lacking across the industry.
5. Directions for Countermeasures
Fundamental countermeasures against real-time phishing require a paradigm shift in authentication design. The key principle is: “As long as authentication relies on transferable information, this problem cannot be solved.”
5.1 Non-Transferable Authentication Factors
Switching authentication to “non-transferable information” provides the most fundamental countermeasure. Non-transferable authentication factors are information tied to physical existence or hardware that is fundamentally impossible to copy or relay over a network.
| Authentication Factor | Why Non-Transferable |
| FIDO2/Passkeys | Private key never leaves the device by design |
| TPM-Stored Certificates | Stored in hardware security module |
| Device-Specific Hardware Info | Physically difficult to spoof |
| Live Biometrics | Requires on-the-spot verification |
| Behavioral Patterns (Real-Time) | Continuous identity verification |
Table 5: Examples of Non-Transferable Authentication Factors
5.2 The Need for Physical Route Protection
Making authentication factors non-transferable alone is insufficient. As long as attackers can intervene in the route to legitimate services, other attack vectors remain. Therefore, combining physical route protection is important.
Specifically, using encrypted tunnels such as VPNs or private network access solutions and blocking access from non-legitimate routes is effective. This means that even if attackers build fake sites, the route from those fake sites to legitimate services does not exist, making MitM attacks impossible.
5.3 Multi-Layered Defense Design Principles
Effective defense against real-time phishing should consist of the following three layers:
| Layer | Protects | Role |
| Layer 1 | Route | Communication concealment via encrypted tunnel, enforcing legitimate routes |
| Layer 2 | Access | Blocking non-legitimate routes via authentication proxy |
| Layer 3 | Identity | Authentication using non-transferable information |
Table 6: Multi-Layered Defense Against Real-Time Phishing
When these layers are combined, attackers must simultaneously breach multiple barriers, significantly reducing the probability of a successful attack.
6. Recommendations for the Industry
Based on this report’s analysis, the following recommendations are made:
6.1 Shift in Perception
The perceptions that “MFA implementations equal security” and “Zero Trust addresses all threats” need to be revised. These are important defensive measures, but they have design limitations against the specific threat of real-time phishing.
6.2 Recommendations for Financial Institutions
For financial institutions particularly, from the perspective of customer asset protection, it is recommended to recognize the limitations of current MFA methods and consider new authentication infrastructure combining non-transferable authentication factors with physical route protection. The Change Healthcare and Japanese securities incidents demonstrate the catastrophic consequences of authentication failures in financial services.
6.3 Evolution of Technical Standards
The adoption of FIDO2/Passkeys is the right direction. As an industry, accelerating the standardization and adoption of non-transferable authentication factors is desirable. At the same time, development of solutions enabling gradual migration while ensuring compatibility with existing systems is required. CISA’s February 2025 guidance for preventing MFA-evading phishing attacks provide a valuable starting point.
7. Conclusion
Multi-Factor Authentication has long served as a cornerstone of security. However, the rise of real-time phishing has revealed its limitations.
As this report demonstrates, the essence of the problem lies in the structure of “authenticating with transferable information.” Superficial measures like time reduction or enhanced verification cannot solve this structural issue.
What is required is a fundamental shift in authentication design. The combination of “non-transferable authentication factors” and “physical route protection” that makes real-time phishing technically impossible is what future authentication systems must provide.
The end of the MFA myth is also the beginning of a new security paradigm. It is essential for the entire industry to recognize this challenge and advance the transition to next-generation authentication infrastructure to protect our digital society.
References
• Microsoft Digital Defense Report 2024
• FBI IC3 & CISA Joint Advisory – Scattered Spider Operations (July 2025)
• CISA Guidelines for Preventing MFA-Evading Phishing Attacks (February 2025)
• Proofpoint Threat Intelligence – Tycoon 2FA Phishing Kit Analysis (January 2025)
• Japan Financial Services Agency – Unauthorized Trading Incident Reports (2025)
• U.S. House Energy and Commerce Committee – Change Healthcare Testimony (2024)
• Cisco Talos – State-of-the-Art Phishing: MFA Bypass (May 2025)
— End —