Enabling multi-factor authentication is the highest-return security decision most businesses ever make. It stops the overwhelming majority of account takeovers, because a stolen password alone is no longer enough to log in. So this isn’t an argument against MFA - it’s an argument for finishing the job. The MFA most companies turned on first, the kind that texts you a six-digit code, is the kind attackers have already learned to beat. The good news is that the fix is available, usually free, and already sitting in tools you own.
How attackers beat SMS and push codes
There are three common ways the weaker forms of MFA fail, and none of them require breaking any encryption.
SIM swapping. An attacker convinces your mobile carrier to move your phone number to their SIM. Now the texted code arrives on their phone. This has been used in targeted attacks for years, and carriers are still inconsistent at stopping it.
Real-time phishing (adversary-in-the-middle). This is the big one. A convincing fake login page sits between you and the real service. You type your password and your one-time code into the fake page; the attacker’s server instantly replays both to the real service and logs in. The code was valid - it just got used by someone else, in real time. SMS codes, authenticator-app codes, and push approvals are all defeated this way, because all of them can be relayed.
MFA fatigue. With push-approval MFA, an attacker who already has your password just spams approval prompts to your phone until, tired or confused, you tap “approve.” Several major breaches started exactly here.
The common thread: these methods prove you have a code, but they don’t prove you’re talking to the real website. That’s the weakness.
What “phishing-resistant” actually means
Phishing-resistant MFA closes the relay gap by binding your login to the specific, legitimate site you’re authenticating to. The two mainstream forms are FIDO2 security keys (a physical key you tap) and passkeys (the same technology built into phones and laptops via fingerprint or face unlock).
Under the hood, these use public-key cryptography tied to the real domain. The authenticator will only release its proof to the genuine site it was registered with. Land on a look-alike phishing page and there’s simply nothing to phish - the key refuses to respond, because the domain doesn’t match. There’s no code to type, relay, or approve, which also kills SIM swapping and MFA fatigue in one move.
You probably already own this
Here’s the part that makes this an easy decision: phishing-resistant MFA is built into the platforms most businesses already run. Microsoft 365 and Entra ID support passkeys and FIDO2 keys natively, and Conditional Access can require phishing-resistant methods for the accounts that matter most. Enabling it is a configuration change and a short rollout, not a new product to buy.
A sensible rollout is tiered: require phishing-resistant MFA first for the high-value accounts - administrators, finance, executives - then expand. This is exactly the kind of identity hardening that belongs in a properly managed cloud rather than left at default settings.
The honest priority order
If you have no MFA, turn on any MFA today - even SMS is far better than a password alone. But don’t stop there and assume you’re done. The realistic threat for most businesses now is real-time phishing, and the only MFA that defeats it is the phishing-resistant kind. Treat “we have MFA” as step one, not the finish line.
Getting the rollout right - which accounts, which methods, enforced through Conditional Access without locking people out - is the practical work, and it’s part of how a managed security program hardens identity across the business.
Not sure how your current MFA would hold up against a real phishing kit? Start with a free assessment.