Why SMS and Push MFA Alone Are No Longer Enough

Written By Lindsay Dumas

For years, businesses and individuals have been told the same thing: enable Multi-Factor Authentication (MFA) to protect your accounts. That advice is still absolutely correct. MFA remains one of the most effective ways to reduce the risk of account compromise.

However, recent attacks targeting Microsoft 365 users demonstrate an important reality many businesses are only beginning to understand: Attackers are no longer just stealing passwords. They are increasingly targeting the authentication process itself.

A recent phishing campaign, Tycoon2FA device code phishing, highlights how modern attackers combine legitimate authentication workflows with social engineering to gain access to business accounts.

Additionally, MFA Prompt Bombing attacks are becoming more frequent due to their success.

The attack is a strong reminder that security today depends not only on technology, but also on awareness and behavior. Additionally, utilizing authenticator app MFA or Passkeys can provide added protection.

How These Attacks Work

Traditional phishing attacks often rely on fake login pages designed to steal usernames and passwords.

The Microsoft 365 OAuth attack was different. Instead of stealing credentials directly, attackers abused Microsoft’s legitimate device authentication process. Victims were tricked into entering a real Microsoft authentication code and approving access themselves. Because the authentication occurred through Microsoft’s actual systems, the login request appeared legitimate.

Once approved, attackers gained access to the victim’s Microsoft 365 account, including:

  • email

  • cloud files

  • internal communications

  • connected applications

In other words, the attacker did not “hack” Microsoft. They manipulated the user into unknowingly authorizing access.

MFA Prompt Bombing: When Users Approve Access by Accident

One of the fastest-growing MFA bypass techniques is known as MFA prompt bombing or MFA fatigue. Attackers rely on repetition, urgency, confusion, and distraction to convince users to approve access requests they did not initiate.

The attack is simple:

  1. An attacker obtains a valid username and password through breach data.

  2. They repeatedly attempt to log in.

  3. The victim receives dozens of MFA approval requests.

  4. Eventually, the victim approves one of the prompts—either accidentally, out of frustration, or believing it is legitimate.

Why MFA Still Matters

Some people mistakenly interpret attacks like this as proof that MFA is ineffective. However, MFA of any form still makes you a harder target with authenticator app MFA (no prompts) being most effective. Without MFA, attackers can easily access accounts with a stolen password, leaked credentials, or a successful phishing email.

MFA still reduces the likelihood of account compromise and remains one of the most important security controls businesses can implement.

However, attacks like Tycoon2FA demonstrate that attackers are adapting. Instead of bypassing MFA technically, they increasingly attempt to manipulate users into approving authentication requests themselves.

This is why awareness and verification habits are now just as important as the technology itself.

Why Passkeys Are Becoming More Important

Passkeys are emerging as one of the strongest defenses against phishing-based account compromise.

Unlike traditional passwords, passkeys:

  • are tied to trusted devices

  • use biometric authentication or device PINs

  • are resistant to credential theft

  • are far more difficult to phish remotely

Major platforms including Microsoft, Google, Apple, and many password managers now support passkeys.

For businesses and individuals, passkeys can significantly reduce the risk of:

  • password theft

  • credential reuse

  • phishing-based login compromise

As attackers continue targeting passwords and authentication workflows, phishing-resistant authentication methods will become increasingly important.

What Businesses and Individuals Should Do

Reducing risk today requires both technical protections and behavioral awareness.

Businesses should:

  • Enable MFA on all critical accounts

  • Use phishing-resistant authentication methods (passkeys or hardware keys) where possible

  • Train employees on modern phishing techniques

  • Be cautious of unexpected authentication requests and if you’re unsure if you initiated the request, do not approve it

  • Reset passwords immediately if receiving authentication requests you did not initiate

  • Verify sensitive requests independently

  • Reduce unnecessary public exposure online

Employees and business owners should never approve:

  • unexpected MFA prompts

  • device authentication requests

  • login approvals they did not initiate

Even legitimate-looking authentication requests should be treated cautiously if they are unexpected.

How We Help Businesses Stay Protected

At Du-Zel Consulting, we help businesses and individuals strengthen their cybersecurity posture against modern threats by understanding their online footprint and breached credentials, conducting due diligence, and helping our clients become hard targets against social engineering and impersonation attacks. We additionally provide training and updates on the most recent threats affecting our clients.

The businesses that proactively strengthen their defenses today will be far better prepared for tomorrow’s threats.

Lindsay Dumas
Next

Why a Digital Exposure Audit Matters for Small Businesses and Founders