MFA Is Not As Safe As You Think

The False Sense of Security

For the past several years, the standard advice from every IT professional, cybersecurity firm, and tech publication has been the same: enable Multi-Factor Authentication (MFA) and you are protected. Turn on two-factor authentication on your email, your banking portal, your cloud storage — and sleep soundly. That advice was correct, and it still matters. But it is no longer the complete picture.

Hackers have adapted. They are not trying to crack your password or intercept your six-digit code anymore. They have moved one step further down the authentication chain, to a point where your MFA code has already been accepted and is no longer relevant. They are stealing what comes after the login — and most small business owners have no idea this is happening.

How Do Adversary-in-the-Middle Attacks Work?

An Adversary-in-the-Middle (AitM) attack is not a brute-force hack. It does not involve guessing passwords or waiting for a data breach. Instead, it works by inserting a silent relay between you and the legitimate website you are trying to reach.

Here is how it unfolds in practice. You receive what looks like a routine email — a Microsoft 365 login request, a DocuSign notification, a bank security alert. You click the link and land on a page that looks exactly like the real site. You enter your username and password. The fake site relays those credentials to the real site in real time. The real site sends back an MFA challenge. The fake site passes that challenge to you. You enter your code. The fake site relays it to the real site. Authentication succeeds — and the real site sends back a session token, the digital key that tells your browser you are now logged in. The attacker captures that token before it ever reaches you.

From this point forward, the attacker has everything they need. Your password is irrelevant. Your MFA code is irrelevant. They have the session token, which grants them full access to your account for as long as that session remains valid — sometimes hours, sometimes days.

What Is a Session Token and Why Does It Matter?

When you log into any web service — your email, your accounting software, your cloud storage — the server does not ask you to re-enter your password on every single page you visit. Instead, it issues a small file called a session cookie or session token. Think of it as a temporary visitor badge. Once you have it, you can move freely through the building without showing ID at every door.

Session tokens are designed to expire, but many services set generous timeouts — 8 hours, 24 hours, or longer — to avoid inconveniencing users. An attacker who steals your session token can impersonate you for the entire duration of that window. They can read your emails, initiate wire transfers, access client files, or reset passwords on connected accounts. And because they are using a valid, authenticated session, most security systems will not flag the activity as suspicious.

What Is the Real-World Scale of This Problem?

The numbers from SpyCloud's 2026 Annual Identity Exposure Report are striking. Researchers found 8.6 billion stolen session cookies circulating in criminal underground markets — a sharp increase from the prior year. These are not theoretical vulnerabilities. They are active, harvested credentials being bought and sold right now. The same report documented 28.6 million phished identities, nearly half of which were corporate users.

In March 2026, Europol — in partnership with Microsoft and SpyCloud — executed a coordinated global takedown of Tycoon 2FA, one of the largest phishing-as-a-service platforms ever dismantled. Tycoon 2FA was a subscription service that criminals used to launch AitM attacks at scale. For a monthly fee, anyone with malicious intent could run a fully automated MFA bypass campaign against Microsoft 365 and Google Workspace accounts. The takedown was significant, but it was also a reminder of how industrialized these attacks have become. Tycoon 2FA was one platform among many.

MFA Fatigue: The Human Exploit

AitM attacks are not the only way hackers bypass MFA. A simpler, and arguably more effective, technique is called MFA fatigue or push bombing. In 2022, Uber's systems were breached by an 18-year-old using exactly this method. The attacker had already obtained an employee's credentials through a separate breach. To get past MFA, they simply flooded the employee's phone with push authentication requests — dozens of them, over the course of an hour — until the employee approved one just to make the notifications stop.

This is not a sophisticated technical exploit. It is a psychological one. It exploits the gap between knowing you should not approve an unexpected MFA request and the very human impulse to make an annoyance go away. For small businesses where employees wear many hats and are already stretched thin, this kind of social engineering is particularly effective.

What Actually Works Against These Attacks?

The good news is that defenses exist. The bad news is that they require moving beyond the basic MFA setup most small businesses currently have. Here are the three approaches that security researchers consistently identify as genuinely effective against AitM and session hijacking.

1. Hardware Security Keys (FIDO2 / Passkeys)

A hardware security key — such as a YubiKey — is a small physical device that plugs into your USB port or taps against your phone. When you log in, the key generates a cryptographic response that is mathematically bound to the specific website you are visiting. A fake site cannot receive a valid response from your key because the cryptographic challenge is domain-specific. Even if an attacker intercepts the entire exchange, they receive a response that is useless on any other site or in any other session. This is called phishing-resistant MFA, and it is the gold standard. Google reported that after deploying hardware keys for all employees, account takeovers dropped to zero.

2. Short Session Timeouts

If a stolen session token expires in 15 minutes instead of 8 hours, the window of opportunity for an attacker shrinks dramatically. Most cloud services allow administrators to configure session timeout policies. For high-value accounts — email, financial systems, cloud storage — setting aggressive timeouts is one of the simplest and most effective controls available. Yes, it means logging in more frequently. That inconvenience is a worthwhile trade.

3. Conditional Access Policies

Enterprise platforms like Microsoft 365 and Google Workspace offer conditional access controls that can flag or block login attempts from unexpected locations, devices, or IP addresses. If your business is based in White Plains and a session token is suddenly being used from an IP address in Eastern Europe, a conditional access policy can terminate that session automatically. For small businesses, this is often available at no additional cost within existing subscriptions — it simply needs to be configured.

What Should a Small Business Owner Do Right Now?

You do not need to implement all three defenses simultaneously. Start with the highest-impact, lowest-friction step for your situation. If your business relies heavily on Microsoft 365 or Google Workspace, review your session timeout and conditional access settings this week — both platforms have built-in tools that most small businesses never activate. If you handle sensitive client data or financial transactions, consider investing in hardware security keys for the accounts that matter most.

The broader point is this: MFA is still worth having. It stops a large category of attacks and should absolutely remain part of your security posture. But treating it as a complete solution in 2026 is like locking your front door and leaving the back window open. The attackers have found the window. The question is whether you close it before they do.

If you are unsure where your business stands on any of these issues, a cybersecurity assessment can identify the specific gaps in your current setup and prioritize the fixes that will have the most impact for your size and industry.