Rebootwe make IT work

The MFA attackers like

Last reviewed · July 14, 2026

The phone lights up at 2:14 AM. Approve sign-in? Deny. It buzzes again before you’re back asleep. Deny. Again at 2:19. Twice at 2:31. Somewhere around the sixth round, sleep starts making its case: approving is the only thing with a chance of stopping the phone.

Nothing in that scene is broken. The password fell weeks earlier, without ceremony: bought in a batch, or typed once into a login page that wasn’t one. What stands between the attacker and the mailbox now is one tired thumb. The attacks that actually work against MFA look like this. They don’t defeat the second factor; they request it, patiently, until somebody grants it.

The favor test

For years the whole of MFA advice fit in one word: on. Still step one. But the kinds have pulled far apart, and the honest way to rank them is by the favor the attacker still needs from you. There are only three. Read me the code. Tap approve. And, at the top of the ladder, no favor left to ask.

“Read me the code”

A code you can read is a code you can be asked for. The ask usually isn’t a phone call; it’s a login page. The urgent email walks you to a sign-in screen that looks exactly right, you type the password, and the page asks, the way the real one would, for your six digits. Behind the curtain it is passing everything to the real site as fast as you type. Microsoft documented one campaign of this kind aimed at more than ten thousand organizations, and its writeup is blunt about the outcome: the stolen session works “even if the target’s MFA is enabled.”

Codes from an authenticator app are a step up from codes by text, since a phone number can be moved onto someone else’s SIM, which is part of why current federal identity guidance files codes sent over phone lines under a restricted category. But both kinds produce a secret, and a secret a human can read, a human can be talked out of. The login page above never cared which app generated the digits.

“Just tap Approve”

Push notifications removed the code and left a button, which attackers appreciated.

There is a documented night that shows how much. In September 2022, by Uber’s own account of its breach, an attacker most likely bought a contractor’s corporate password after malware on a personal device scooped it up. Then the attacker simply tried to sign in, over and over. Each attempt sent the contractor an approval request. The contractor held out through repeated prompts, then accepted one, and the attacker was inside, eventually reaching internal tools and the company’s own Slack. Every detail in this paragraph is from Uber’s public report. No vulnerability, no exotic code. A password and persistence.

The genre now has names, push bombing, MFA fatigue, and none of it requires a careless person. It requires a tired one.

“Type the number you see”

The industry’s answer to the 2 AM storm is number matching: the sign-in screen shows a short number, and approving means typing that number into the phone. Watch what that does to the ambush. A sign-in you didn’t start displays its number on the attacker’s screen, the one place you can’t see, so there is nothing your half-asleep thumb can usefully do. If your firm signs in with Microsoft Authenticator push, you already have this: Microsoft turned number matching on for every Authenticator push notification and doesn’t offer an opt-out. Most other MFA platforms sell an equivalent under one name or another; whoever runs your identity can find the switch in an afternoon.

Its limit, stated plainly: number matching ends the ambush and leaves the con intact. On a relayed login page like the one above, you started the sign-in yourself, the number appears right there on the fake page, and you type it into your own phone believing every step. For that one, there’s a higher rung.

The rung with nothing left to ask

A passkey (the retail name for FIDO2, the standard behind hardware security keys and the fingerprint prompt) is a cryptographic key pair created for one specific site. The private half stays locked inside your device. At sign-in, the device answers a mathematical challenge and you confirm with the same face or fingerprint that unlocks the phone. Notice what’s missing: no code to read to anyone, no bare Approve button, nothing a login page can collect and replay.

The anti-phishing part is built into the design rather than into your alertness. A passkey answers only the exact site it was registered with. The lookalike domain, one letter off, is a stranger to it, and the credential simply does not respond. Nothing depends on you squinting at an address bar at the end of a long day.

The standards caught up to this. NIST’s current digital identity guideline (SP 800-63B, revision 4) defines phishing resistance as protection that does not lean on the user’s vigilance, and it now requires services at its middle assurance tier to offer at least one phishing-resistant option. CISA has been urging organizations in the same direction since 2022.

And the scene at the top of this page? With nothing to approve, there is no storm to send. The phone stays dark.

Climbing without making it a project

Start with one question to whoever runs your identity: when someone signs in from a new device, what exactly does the person see, and is number matching on? The answer places your firm on the ladder in about a minute. If it includes a code arriving by text for email accounts, move that first; the mailbox is where password resets, client files, and payment instructions all converge.

Then pilot passkeys with the handful of accounts an attacker values most: the owner, anyone who can move money, anyone with admin rights. A pilot, not a migration. Enrollment takes minutes per person, and the pilot will teach you more than a memo would. One habit as you climb: once a stronger method is working on an account, retire the weaker ones from that same account. A sign-in page offers whatever methods stay attached, and an attacker choosing from that menu picks the weakest.

Hardening Microsoft 365 sign-in is part of our daily work, so if you’d like to know which rung your firm is standing on, that’s a short conversation: contact us. Bring the cyber-renewal questionnaire if one is sitting on your desk. Its MFA questions will read differently now.

Book a 15-minute call →