When MFA Isn't Good Enough Any Longer: An Urgent Call for Stronger Identity Security

As Chief Information Security Officers (CISOs), we have a duty to ensure that our organizations are protected by the best defenses available. For years, we've relied on Multi-Factor Authentication (MFA) to serve as a cornerstone of our security strategies. MFA was once the cutting-edge solution that promised to solve many of the risks inherent in password-based security. Unfortunately, the reality is that MFA, in its current form, is no longer sufficient. As Dan Lohrmann, a noted security expert, eloquently said during his presentation at the 2024 ISC2 Security Congress, “MFA is not a silver bullet” (Lohrmann, 2024). And it's time for us to reconsider how we secure identity ecosystems.

The Erosion of MFA's Effectiveness

The adoption of MFA skyrocketed in response to the well-documented vulnerabilities of passwords. We implemented MFA to solve the problem of weak passwords and reduce the likelihood of account compromise. But the rapid evolution of the threat landscape means that attackers have found ways to circumvent MFA, and they’re doing so with increasing frequency.

Take, for example, MFA fatigue attacks. In these cases, attackers exploit users by repeatedly sending MFA push notifications, often late at night. The victim, groggy and disoriented, eventually approves the request out of sheer frustration or confusion, inadvertently giving attackers access. This type of attack preys on human weakness, demonstrating that even strong technical controls can be bypassed through psychological manipulation (Grimes, 2021).

Moreover, as Lohrmann discussed in his presentation, the very factors we rely on—such as SMS-based MFA or even biometric factors—have been exploited. SMS, for instance, is vulnerable to SIM-swapping attacks, where attackers convince mobile carriers to switch the victim’s phone number to a device under their control. Once they have control of the phone number, intercepting one-time passwords (OTPs) is trivial. Despite this, SMS remains a widely accepted method of second-factor authentication across industries. The continued use of SMS as a primary MFA method represents a systemic failure to keep pace with evolving threats.

Understanding the Broader Ecosystem: It's More Than Just MFA

One of the primary reasons why MFA is no longer enough is because it is often deployed without a holistic view of the overall security ecosystem. We tend to treat MFA as a “patch” for the broken password model, but we often overlook the fact that attackers are not limited to a single-entry point.

MFA is typically implemented to safeguard a very limited scope such as logging into an application or accessing corporate networks. But in an enterprise setting, we have multiple identity touchpoints that are often forgotten. For example, email-based password resets remain a weak link in the chain. Attackers can compromise a user’s email account and reset passwords for critical services like VPNs, cloud applications, or even payroll systems, using only that compromised email account.

Lohrmann vividly compared this to putting a padlock on a tent with no floor. Sure, the padlock gives the appearance of security, but an attacker can simply lift the tent to bypass the lock entirely. The lock itself isn’t the problem, it’s the broader system that’s fundamentally flawed.

This analogy perfectly describes the state of identity security today. We focus on securing one entry point while leaving others wide open, making MFA little more than security theater unless it is deployed alongside a broader, risk-based security model.

The Fallacy of Federated Trust

Many MFA solutions rely on third-party authentication services, most commonly delivered through mobile devices. When a user authenticates via an MFA app on their phone, what’s really happening is that the service provider (such as Google or Microsoft) is telling your organization, “Yes, this is who they say they are.” This model introduces a new risk: federated trust. We are essentially outsourcing trust to third parties who may themselves be vulnerable to attack or operational failures.

For example, the growing threat of SIM-swapping exploits the very foundation of mobile-based MFA. Even biometric authentication, which seems nearly impenetrable, can be undermined if the device storing or verifying the biometric data is compromised. Lohrmann pointed out that “possession as a factor is broken,” especially when the device being used for authentication is also the device being attacked.

This is compounded by the fact that mobile carriers are notoriously bad at protecting against SIM-swapping. A 2022 investigation by the Federal Trade Commission (FTC) found that SIM-swapping attacks had increased by 400% over a two-year period, with many telecom providers unable to adequately protect their customers (Red5 Security, 2023). If the federated trust model is compromised at the carrier level, your organization’s MFA is just as vulnerable as the phone number linked to it.

Identity Proofing: The Missing Link

A key point that Lohrmann stressed is the critical role of identity proofing. He shared an example from his work with a critical infrastructure organization, where he discovered a serious gap: the process used to verify an employee’s identity during hiring was completely disconnected from the process used to issue their credentials. This created a situation where an attacker could present false credentials during the hiring process and gain access to the organization’s systems without raising red flags.

This highlights the importance of tying identity proofing to credential issuance. Many organizations assume that once MFA is in place, they no longer need to worry about how identity is verified. But if the initial proofing process is flawed, MFA becomes irrelevant. We must ensure that identity verification processes are robust and integrated across all stages of the user lifecycle, from onboarding to offboarding.

What Comes Next: Phishing-Resistant Authentication

The future of identity security lies in phishing-resistant MFA and passwordless authentication. Lohrmann argued that passwordless solutions such as hardware-based tokens (e.g., YubiKey) or biometrics tied to the user’s device are the next logical step in securing our ecosystems.

In fact, many government agencies, including the U.S. Department of Defense, have already begun mandating phishing-resistant authentication mechanisms. This push is driven by the recognition that traditional MFA, especially SMS or email-based, cannot withstand the types of advanced attacks we see today.

For those of us in the private sector, we should heed the same advice. Moving toward passwordless, phishing-resistant authentication isn’t just a security upgrade, it’s a necessary evolution to stay ahead of sophisticated attackers who continually find new ways to circumvent existing controls.

Conclusion: Time for a Reality Check

As security leaders, it’s time we face the uncomfortable truth: MFA, in its current form, is no longer sufficient. The threats we face today are far more advanced than they were even five years ago, and attackers are constantly developing new methods to bypass MFA protections. We can no longer rely on single-point solutions like MFA to protect our organizations.

Instead, we must embrace a broader, risk-based approach that includes strong identity proofing, integrated security controls, and a shift toward phishing-resistant, passwordless authentication. Only by recognizing the limitations of MFA and addressing the systemic weaknesses in our identity ecosystems can we ensure that we’re truly protecting our organizations against today’s threats.

References

Federal Trade Commission. (2022). SIM swapping: How to protect yourself. Retrieved from https://consumer.ftc.gov/consumer-alerts/2019/10/sim-swap-scams-how-protect-yourself

Grimes, R. (2021). Hacking Multi-Factor Authentication. Wiley.

Lohrmann, D. (2024). Hacking and Armoring Identity Ecosystems: When MFA isn't good enough any longer [Presentation]. ISC2 Security Congress, Las Vegas, NV.

Red5 Security (2023). SIM Swapping Attacks: A Surprisingly Common Cyberthreat. Retrieved from https://www.red5security.com/resources/sim-swapping-attacks-a-surprisingly-common-cyberthreat#:~:text=Subscriber%20Identification%20Module%20%28SIM%29%20swapping%20attacks%20are%20a,2022%2C%20according%20to%20the%20Federal%20Trade%20Commission%20%28FTC%29 .

Troy Hunt. (2023). Have I Been Pwned?. https://haveibeenpwned.com/

Connect with me on LinkedIn for further insights and discussions on cybersecurity strategies and the evolving security landscape.