Photo by zibik on Unsplash
Multi-Factor Authentication (MFA) is often treated as the silver bullet of access security — a control so effective that organisations feel invincible once it’s in place. Unfortunately, the reality is more complex. MFA can fail. It does fail. And when it does, the consequences are often severe.
Ransomware operators know this. In fact, some of the most high-profile breaches in recent years have bypassed or exploited MFA systems — not because MFA is inherently weak, but because it was misunderstood, misconfigured, or misapplied.
In this post, we explore how these failures occur, what attackers are exploiting, and how organisations can ensure their MFA implementation doesn’t become a false sense of security.
The Promise of MFA
Multi-Factor Authentication works by requiring at least two distinct types of verification:
- Something you know ( a password)
- Something you have (a phone or token)
- Something you are ( biometrics)
In theory, this reduces the likelihood of unauthorised access — even if credentials are leaked. In practice, not all MFA is equal, and not all implementations are resilient.
When MFA Fails
Poor MFA Choices: SMS and Email
Many organisations still rely on SMS-based MFA, despite its well-known vulnerabilities. SIM-swapping, man-in-the-middle attacks, and phishing kits designed to intercept OTPs all render SMS codes unreliable.
Lack of Coverage
MFA might be rolled out on key applications but not across all access points. A VPN, internal webmail, or remote desktop portal without MFA becomes the weak link — and attackers know exactly where to look.
Phishing-Resistant MFA Not Used
Most breaches bypass MFA using phishing. Attackers send cloned login portals that capture both username/password and the one-time code in real time. Without phishing-resistant MFA methods like FIDO2/WebAuthn or push-notification approval with context, MFA can be defeated within seconds.
MFA Fatigue Attacks
Ransomware actors have adopted “MFA prompt bombing” — sending repeated push notifications to a user’s phone until they eventually approve it out of frustration or confusion. This technique has been used in breaches of Uber, Cisco, and others.
Bypassing MFA via Compromised Endpoints
If an attacker compromises a user's endpoint (e.g., via malware or token harvesting), they may gain access to cached credentials or session tokens, effectively bypassing MFA entirely. No prompt, no code — just persistence.
Real-World Breach Examples
Uber (2022) (https://ironscales.com/blog/ransomware-gangs-lapsus)
An attacker socially engineered an employee via a fake IT helpdesk message and then launched an MFA fatigue attack. After multiple push requests, the user approved the login — granting the attacker internal access.
Colonial Pipeline (2021) (https://www.forbes.com/councils/forbestechcouncil/2021/09/14/one-stolen-password-took-down-the-colonial-pipeline---is-your-business-next/)
Although MFA was enabled on most systems, a VPN account with single-factor access was still active. That one gap allowed attackers in — leading to a shutdown of fuel supply across the US East Coast.
CISCO (2022) (https://www.halock.com/employees-google-account-routes-hackers-into-ciscos-systems/)
Attackers used compromised Google credentials combined with MFA fatigue to gain access to internal systems. A single user mis-click was enough to breach one of the world’s largest network security companies.
Ransomware Loves MFA Weakness
Once inside, ransomware attackers escalate privileges, pivot laterally, and deploy payloads across infrastructure. MFA should slow or stop lateral movement — but if it's only enforced at the perimeter, it's often useless once an attacker gains a foothold.
In many incidents, ransomware operators explicitly look for:
- Privileged accounts without enforced MFA
- Systems using legacy authentication protocols (like POP, IMAP, or RDP)
- Session tokens that bypass login prompts
When MFA isn’t universally applied or hardened, it simply becomes a speed bump, not a barrier.
Strengthening MFA Defences
To defend against these failure modes, organisations need to go beyond the checkbox.
Which means:
- Use phishing-resistant MFA wherever possible — FIDO2, security keys, or biometric-based push approvals
- Enforce MFA universally, including VPNs, internal admin tools, and all third-party apps
- Limit fallback methods — disable email or SMS-based recovery unless strongly secured
- Monitor login behaviour and enforce behavioural-based alerts for anomalies
- Test MFA via red team exercises — simulate fatigue attacks or token theft
- Educate users about prompt bombing and fake push attacks — encourage them to report, not approve
Connecting to the Bigger Picture
This is more than just a configuration problem. It’s a risk governance issue.
In many of the attacks mentioned above, MFA failures directly contributed to:
- Regulatory exposure
- Ransomware deployment
- Service shutdowns
- Cyber insurance complications
Insurers are now explicitly checking for the type and coverage of MFA before granting policies or paying out claims. If your MFA is outdated or not applied organisation-wide, your cover could be rejected — or worse, your incident classified as avoidable negligence.
Final Thoughts
MFA remains one of the best defences in cybersecurity — but only when deployed strategically. Poorly implemented MFA can become a liability, a loophole, or a false sense of control.
Security is not about ticking boxes. It’s about understanding how controls fail, and ensuring your implementation reflects the current threat landscape.
Because when ransomware comes knocking, you don’t want to discover your last line of defence was little more than a door left ajar.