Why Legacy MFA Fails the Modern Enterprise

Multi-factor authentication has been the cornerstone of identity security for years, but legacy implementations are increasingly vulnerable to sophisticated attacks. Adversary-in-the-middle (AiTM) phishing kits have made it trivial for attackers to bypass SMS and TOTP-based MFA.

The AiTM Threat

Modern phishing frameworks like Evilginx, Modlishka, and custom AiTM proxies can intercept authentication sessions in real-time. When users enter their credentials and MFA code on a fake login page, the attacker simultaneously logs into the real service using those credentials.

Why SMS and TOTP Fail

• SMS: Vulnerable to SIM swapping, SS7 attacks, and interception
• TOTP: Can be phished in real-time by AiTM proxies
• Push Notification: Users can be socially engineered to approve fraudulent prompts

Phishing-Resistant Alternatives

FIDO2/WebAuthn with hardware security keys provides cryptographic assurance that the authentication is happening with the legitimate service, not a phishing proxy. Passkeys — the evolution of FIDO2 — are now supported across major platforms and offer the same protection with better usability.

Implementation Roadmap

• Audit current MFA methods and identify high-risk users
• Deploy FIDO2 keys to privileged accounts first
• Enable passkey support in identity providers
• Implement conditional access policies that require phishing-resistant MFA

The transition to phishing-resistant authentication is not optional — it's essential for protecting against the most common and most damaging attacks facing organizations today.