If you are still measuring your identity program by "MFA coverage percentage," you are measuring 2019. The adversaries moved on. Push-based MFA, SMS codes, and even TOTP are now routinely defeated by attackers who are not particularly sophisticated. The question is not whether you have MFA. The question is whether your MFA survives contact with a motivated attacker.

What actually breaks MFA in 2026

Four attack patterns dominate real incidents I have reviewed:

  • MFA fatigue / push bombing. The 2022 Uber breach by a Lapsus$-affiliated actor is the textbook case: contractor credentials phished, then push prompts spammed until the user tapped approve. Still works. Still used.
  • Adversary-in-the-middle (AiTM). Toolkits like Evilginx and the commodity phishing-as-a-service kits that wrap it proxy the entire auth flow and steal the session cookie. Your MFA fires correctly. The attacker gets a valid session anyway.
  • OAuth and consent-grant abuse. No password, no MFA prompt — just a malicious app the user approved. Microsoft 365 and Google Workspace are the common targets. The logs look boring until you know what to look for.
  • SIM swap. SMS-based MFA on a privileged account is a single phone-store social engineer away from compromise. This is not hypothetical — SEC officials and crypto executives have been hit repeatedly.

What MFA maturity actually looks like

Real maturity is not a checkbox. It is a set of deliberate choices:

  • Phishing-resistant factors for privileged access. FIDO2 hardware tokens (YubiKey, Feitian) or platform authenticators with attestation. For domain admins, cloud admins, and finance leadership, this is no longer optional.
  • Number matching and context on push. If you must use push, enforce number matching and show geo/IP/app context. Microsoft made this default in 2023 for a reason.
  • Session and token hygiene. Short session lifetimes for privileged roles, Continuous Access Evaluation on Entra ID, device binding, and token-theft detection. An AiTM attack is only valuable for as long as the cookie lives.
  • Passkeys as the default for new applications. Synced passkeys for workforce use, device-bound passkeys for high-assurance. The ergonomics are finally good enough that users stop complaining.
  • OAuth app governance. Block unverified publishers, require admin consent, and actually review the app inventory. Most tenants have dozens of approved apps nobody can name.

Kill SMS for anything that matters

SMS-based MFA should be a fallback only, and never for privileged accounts. If your help desk can reset MFA over a phone call with a name and a date of birth, your MFA program is a theatre prop. Help desk identity verification is now part of the attack surface. The Scattered Spider crew has made this explicit.

MFA bought us a decade of relative safety at the password layer. That decade is over. Identity is now a detection problem as much as a prevention problem.

The takeaway

Audit your MFA configuration through an attacker's eyes, not an auditor's. Which accounts still accept SMS? Which admins can approve a push on the first prompt? Which tenant allows user-consented OAuth apps? Pick one of those and close it this quarter. Repeat until the easy paths are gone. MFA is a floor, not a ceiling.