--- title: "What Is MFA? How It Works and How Attackers Bypass It in 2025 | LoginPages.net" description: "MFA stops 99% of password attacks — but 2025 attackers are bypassing it with AiTM phishing and push bombing. Learn which MFA methods are strongest and how to protect yourself." keywords: "what is MFA, multi-factor authentication, MFA phishing bypass, AiTM attack, MFA fatigue, push bombing, authenticator app, FIDO2, passkeys, account security 2025" url: "https://www.loginpages.net/blog/what-is-mfa-how-it-works-and-how-attackers-are-bypassing-it-in-2025" language: "en" --- * What Is MFA and Why Does It Matter? * MFA Method Comparison * The New MFA-Bypass Attacks of 2025 * How to Make Your MFA Bulletproof * Set Up MFA on Your Most Important Accounts February 26, 2026 # What Is MFA? How It Works — and How Attackers Are Bypassing It in 2025 MFA stops 99% of automated attacks \u2014 but sophisticated phishing techniques can bypass it. Learn which MFA method is strongest, what AiTM attacks are, and how to make your accounts truly bulletproof. Multi-Factor Authentication \(MFA\) is one of the most powerful account security tools ever created. It stops over 99% of automated credential-stuffing attacks and 96% of bulk phishing attacks. Yet in 2025, attackers have developed sophisticated techniques specifically designed to defeat MFA. Here's what you need to know to protect yourself. ## What Is MFA and Why Does It Matter? MFA adds a second verification step after your password. Even if an attacker steals your password through a phishing page, a data breach, or malware, they still cannot log in without your second factor — typically a code from your phone, a push notification, or a hardware security key. Enabling MFA on your important accounts is the single highest-impact action you can take to improve your personal cybersecurity. If you do nothing else after reading this article, enable MFA on your email account today. ## MFA Method Comparison ### 🔐 MFA Methods Ranked by Security STRONGEST Hardware Security Key \(FIDO2\) A physical USB or NFC key \(e.g. YubiKey\). Completely immune to phishing — the key cryptographically verifies you're on the correct website and will not respond to fake login pages. Recommended for high-value accounts. VERY STRONG Passkeys The new FIDO2-based passwordless standard now supported by Google, Apple, Microsoft and many major services. Tied to your device and immune to phishing. Gradually replacing passwords entirely. STRONG Authenticator App \(TOTP\) Apps like Google Authenticator, Microsoft Authenticator, or Authy generate a 6-digit code every 30 seconds. Resistant to most attacks but vulnerable to real-time phishing proxies \(AiTM attacks\) if you enter the code into a fake site. MODERATE Push Notification \(Approve/Deny\) A push request sent to your phone app asking you to approve a login. Vulnerable to MFA fatigue attacks where the attacker sends dozens of requests until you accidentally approve. Never approve a push you didn't initiate. BASIC SMS One-Time Password \(OTP\) A code sent via text message. Better than nothing but vulnerable to SIM swapping attacks, SS7 network interception, and real-time phishing relay. Avoid for high-value accounts if possible. ## The New MFA-Bypass Attacks of 2025 ### Adversary-in-the-Middle \(AiTM\) Phishing This is the most sophisticated attack defeating MFA today. The attacker sets up a reverse proxy server between you and the real login page. When you think you're logging into Microsoft 365, you're actually logging into the attacker's proxy, which relays your credentials AND your MFA code to the real site in real time, stealing your authenticated session cookie before you even notice. Tools like Evilginx2, Modlishka, and Muraena power these attacks and are freely available. The only defences are FIDO2 hardware keys or passkeys — which cannot be relayed — and Conditional Access policies that flag impossible travel. ### MFA Fatigue \(Push Bombing\) The attacker obtains your password and begins a login attempt, triggering an MFA push notification to your phone. They then spam your phone with dozens of approval requests at all hours until you approve one out of exhaustion, confusion, or to make the notifications stop. This attack successfully breached Uber in 2022. ### SIM Swapping The attacker contacts your mobile carrier, impersonates you, and convinces them to transfer your phone number to a SIM card they control. From that point, they receive all your SMS verification codes. High-profile crypto holders and executives are the most common targets. ## How to Make Your MFA Bulletproof * **Upgrade to FIDO2 / passkeys** wherever supported. These are cryptographically bound to the real website and cannot be phished. * **Never approve an MFA push you didn't initiate.** If you get an unexpected approval request, deny it and immediately change your password — it means someone has your credentials. * **Use number matching** if your authenticator supports it. This requires you to enter a number shown on the login screen into the push notification, preventing blind approvals. * **Set up a PIN with your mobile carrier** to prevent SIM swapping attacks. * **Use an authenticator app instead of SMS** for all accounts where it's offered. * **Enable login notifications** on all important accounts so you're alerted to any new sign-in immediately. ## Set Up MFA on Your Most Important Accounts Use LoginPages.net to navigate to the official login pages for your most important services, then head to the security settings of each account to enable MFA. Start with your email account — whoever controls your email controls everything else. [Find Official Login Pages to Secure Your Accounts →](/) Author [LoginPages Security Team](/author/loginpages-security-team) Published February 26, 2026 Updated February 26, 2026 Be first to comment ##### Leave a reply Comment