Why Modern MFA Keeps Failing and Why Assured Identity is the Next Security Frontier

Introduction

For most of cybersecurity’s history, attackers were forced to break into systems. They exploited software vulnerabilities, bypassed perimeter defenses, and escalated privileges once inside. That model is increasingly obsolete.

Today’s attackers log in.

Credential theft, authentication workflow abuse, and real time session relay attacks have become the most reliable and scalable methods of compromise. In response, organizations have spent more than two decades deploying multi factor authentication and authenticator applications. Yet identity driven breaches continue to rise across every sector.

This persistence of failure is not due to lack of adoption. It is due to a mismatch between modern threats and legacy authentication assumptions.

Most deployed authentication systems still treat identity as something a user knows or something a user possesses. A password. A phone. A code. A prompt. These signals were once sufficient. In the current threat environment, they are not.

To understand why, it is necessary to examine how attackers systematically defeat modern MFA and why incremental improvements have failed to close the gap.

From breaking in to logging in

The most consequential change in cyber operations over the last decade is not a new exploit class. It is the efficiency of identity abuse.

Once authenticated, attackers inherit trust. Security controls are optimized to detect anomalies after access is granted, not to challenge the legitimacy of the authenticated entity itself. Identity has become the primary attack surface because authentication remains the weakest gate.

Multi factor authentication was intended to raise the cost of impersonation. In practice, many implementations still rely on authentication signals that can be intercepted, replayed, proxied, or socially engineered in real time.

Primary failure modes in modern MFA

SIM swapping and temporary carrier compromise: SIM swapping is often described as a sophisticated attack. In reality, it is frequently transient and opportunistic. An attacker only needs brief control over a victim’s mobile number. That short window is sufficient to intercept authentication or recovery messages, reset credentials, register new authentication methods, and permanently seize account control. This is not limited to SMS based MFA. Many account recovery and identity proofing workflows ultimately rely on phone numbers as a root of trust. Carrier infrastructure was never designed to assert identity. Treating it as such introduces systemic risk outside the defender’s control.

Device code phishing and consent abuse: Device code authentication was designed to improve usability on constrained devices. It assumes that user consent implies legitimacy. Attackers exploit this assumption by initiating legitimate authentication flows and coercing victims into completing them. No passwords are required. MFA requirements are often satisfied. From the system’s perspective, authentication is successful. The failure lies in intent verification. The system confirms that authentication occurred, not who initiated it or for what purpose. As a result, consent becomes a transferable signal that attackers can reliably manipulate.

Real time man in the middle relay attacks: Modern phishing kits no longer harvest credentials for later use. They proxy entire authentication sessions in real time. Victims enter credentials on spoofed sites that relay them instantly to legitimate services. MFA challenges are relayed back to the victim, who approves a valid prompt from a real provider. Authentication succeeds and the attacker gains access. No malware is required. No vulnerability is exploited. The user behaves exactly as trained. This attack demonstrates a core limitation of authenticator apps and push based MFA. They authenticate actions, not actors.

Additional attack classes that overwhelmingly defeat authenticator apps

Beyond the primary techniques above, a wide range of well-established attack classes exploit the same structural weaknesses in possession and knowledge-based authentication systems.

• SMS based man in the middle attacks intercept or proxy one time codes before expiration.
• Supply chain attacks compromise upstream SMS aggregators, notification services, or recovery providers, exposing authentication signals even when core identity platforms remain intact.
• Compromised MFA workflow bypasses exploit logic flaws, fallback paths, or error handling conditions where MFA enforcement fails silently.
• Pass the cookie attacks reuse stolen session tokens after authentication, bypassing MFA entirely.
• Server side request forgeries trick backend services into issuing or validating authentication events without legitimate user interaction.
• Social engineering persuades users to approve prompts, share codes, or initiate recovery flows under pressure.
• Stolen phones convert device possession into identity compromise when authentication secrets are stored locally.
• Human hand over of codes occurs when victims are convinced to read or paste authentication codes in real time.
• SMS duplication systems allow attackers to receive message copies without disrupting victim devices.
• Stolen random number seeds allow indefinite generation of valid time based codes once shared secrets are extracted.
• MFA fatigue attacks overwhelm users with prompts until approval becomes reflexive.

Each of these succeeds for the same reason. Authenticator apps and legacy MFA verify the correctness of a signal, not the presence of the correct human.

The common root cause: transferable authentication

Although these attacks appear diverse, they share a single architectural weakness.

Authentication relies on signals that can be transferred.

If a credential, code, prompt, or approval can be relayed or reused, attackers will automate its exploitation. Increasing factor count does not resolve this issue. It often increases complexity without increasing assurance.

The problem is not insufficient MFA. It is misplaced trust.

AI acceleration and interactive deepfakes- How modern identity attacks are executed at scale

What distinguishes today’s identity attacks from earlier phishing campaigns is not creativity, but automation.

Commercially available adversary-in-the-middle frameworks such as Tycoon 2FA, Evilginx, Modlishka, and related derivatives now provide attackers with complete, end-to-end authentication interception capabilities. These tools act as transparent reverse proxies, relaying credentials, authentication challenges, OAuth grants, and session tokens between victims and legitimate services in real time. From the service’s perspective, authentication is valid. From the user’s perspective, everything appears normal.

These frameworks are increasingly paired with AI-generated infrastructure. Artificial intelligence is now routinely used to produce pixel-perfect replicas of enterprise login portals, dynamically personalized phishing emails, and highly contextual lures that reference real projects, vendors, or executives. The visual and linguistic gap between legitimate and malicious content has effectively disappeared.

Device code abuse and OAuth consent phishing have also been industrialized. Campaigns such as the widely reported ShinyHunters OAuth onslaught demonstrate how attackers exploit trusted platforms like LinkedIn to trick users into granting long-lived OAuth tokens to cloud applications including Salesforce. No malware is deployed. No passwords are stolen. MFA requirements are technically satisfied, yet attackers gain persistent access without triggering alerts.

Session hijacking techniques further extend the impact. Once authentication has occurred, stolen session cookies can be reused without re-triggering MFA. The authentication boundary is crossed only once, after which enforcement effectively ends.

These techniques were operational throughout 2025 and widely reported across industries including insurance, aviation, retail, hospitality, and enterprise SaaS.

It is also important to be explicit about the targets of these frameworks. Toolkits such as Tycoon 2FA have been repeatedly observed targeting widely deployed authenticator ecosystems, including Microsoft Authenticator and Google account authentication workflows. These kits are optimized to proxy Microsoft Entra authentication, Microsoft Authenticator push approvals, Gmail and Google Workspace login flows, and other cloud identity platforms that rely on app-based approvals, device codes, or OAuth consent.

Artificial intelligence has fundamentally altered the scale and realism of identity attacks.

Automated phishing kits now generate domains, clone login portals, and adapt language dynamically. Entry barriers have collapsed.

More significantly, interactive deepfakes are emerging as operational tools. Real time voice cloning and video synthesis are already being used in live collaboration platforms to impersonate executives, administrators, and vendors.

This eliminates traditional cues used to detect deception. Authentication systems that rely on human judgment under pressure are no longer viable.

Why USB keys remain legacy possession-based security

Physical USB security keys are often positioned as a modern alternative to authenticator apps. Most are not.

They are rooted in a possession-based security model developed decades ago. Possession implies trust.

This assumption fails under modern conditions.

• USB keys are frequently inconvenient, reducing adoption and encouraging workarounds. Including simply using backup codes and almost always leaving them always plugged in to the laptop.
• They are easily lost, stolen, or forgotten, with no continuous assurance of who holds them.
• There is no inherent guarantee that the person using the key is its rightful owner.
• Counterfeit USB keys and malicious replicas exist at scale.
• USB ports remain a primary malware vector and are often restricted or disabled in secure environments.
• Many regulated enterprises and United States government agencies prohibit USB authentication devices entirely.
• Possession does not equal identity. Any system built on that assumption is fragile.
• Moving to passwordless with just a USB key would be dangerous given you have no identity of who has that key

Why rotating codes still leave humans in the loop

Time based codes that change every twenty or thirty seconds are often presented as secure due to short validity windows.

Expiration does not prevent compromise when humans remain part of the transmission path.

Attackers relay codes instantly. Social engineering extracts them immediately. Automation eliminates timing constraints.

As long as authentication relies on something a human can read, type, approve, or share, it remains exploitable.

Humans do not fail maliciously. They fail predictably. Systems that require flawless human judgment will fail at scale.

From MFA to Assured Identity

What is required is not better MFA, but a different model.

Assured Identity shifts focus from factors to certainty. It asks whether the real human is physically present and verifiably who they claim to be.

Biometric verification is central to this model, not as a convenience feature but as a root of trust.

Biometrics, securely stored offline, are not transferable. They cannot be phished, relayed, stolen or approved remotely. They bind authentication to a living human rather than to an artifact.

When combined with cryptographic origin validation and local enforcement, biometric Assured Identity collapses the dominant attack classes.

SIM swaps fail because recovery is no longer carrier dependent.

Device code phishing fails because consent alone is insufficient.

Relay attacks fail because authentication cannot be proxied.

Deepfake driven social engineering fails because persuasion does not equal presence.

Most critically, Assured Identity removes humans from decision making at the moment of attack. The system enforces legitimacy.

Usability, wireless authentication, and compliance

Stronger security is often assumed to reduce usability. In practice, the opposite is increasingly true.

Wireless (BLE) biometric authentication removes codes, prompts, and manual steps. Authentication becomes a natural action rather than a cognitive decision. And must occur within 3 feet of the computer logging in.

This improves compliance. Users adopt security that is effortless. It also reduces error by eliminating opportunities for mistaken approvals.

In environments where attackers rely on urgency and confusion, reducing cognitive load is a defensive advantage.

Convenience is not a weakness. It is an enabler of assurance.

Designing identity systems for modern threats

CISOs and identity architects should evaluate authentication systems using a different set of criteria.

• Can authentication be relayed or proxied
• Can access be approved remotely
• Do recovery workflows rely on third party infrastructure outside security control
• Does the system trust consent more than verified identity
• Can social engineering override enforcement

If any answer is yes, the system will fail against modern attackers.

Assured Identity provides a path forward. Identity that is biologically verified, cryptographically bound, and locally enforced. Identity that does not rely on judgment or transferable secrets.

Conclusion

Attackers have adapted faster than authentication architectures.

MFA and authenticator apps were necessary advances two decades ago. They are no longer sufficient. And in fact have become honeypots themselves with simple downloadable kits to thwart them.

As AI driven phishing, automated attack kits, and interactive deepfakes become standard tools, identity security must move beyond factors toward certainty.

Assured Identity represents that shift. Identity that cannot be transferred, relayed, or socially engineered.

The future of identity security will not be defined by more prompts or more layers. It will be defined by systems that make impersonation impossible.

That is the boundary modern attackers cannot cross.

Summary

Assured Identity should be understood not as a product category, but as an evolution in identity assurance itself. It reflects a shift away from authenticating transferable signals toward verifying human presence and intent. Much as endpoint security evolved from signature-based detection to prevention-based assurance, identity security must evolve from factor-based authentication to assured identity. This transition aligns directly with Zero Trust principles by eliminating implicit trust at the point of access and enforcing non-transferable verification of the user. In an era dominated by automation, impersonation, and AI-driven deception, Assured Identity represents the next necessary stage in the maturity of identity security.

About the Author: Kevin Surace is a technology executive, inventor, and security thought leader focused on AI, identity, authentication, and emerging threats. He has spent decades building and scaling enterprise technology platforms and holds 95 worldwide patents and is known as the father of the AI Assistant. Kevin advises CISOs, boards, and policymakers on identity risk and the impact of automation and AI.

About the Company: In a world of stolen identities and compromised user credentials, Token is changing the way our customers secure their organizations by providing passwordless, biometric, multifactor authentication. We deliver the next generation of security that is invulnerable to social engineering, malware, and tampering for organizations where breaches, data loss, and ransomware must be prevented.