Back to Insights
Identity & Access

Securing Identity: Why Default MFA Is No Longer Enough

By THOR Security Group

For years, security teams had a simple message: turn on multi-factor authentication (MFA) and you will be safe. While enabling any form of MFA is still vastly superior to using passwords alone, default MFA methods are no longer sufficient to stop modern threat actors.

Phishing tools have evolved. Attackers now deploy automated proxies (like Evilginx) that intercept both the user’s password and their one-time MFA passcode in real-time, instantly bypassing standard security layers.

Here is an analysis of why legacy MFA fails and how to transition to secure identity architecture.

The Vulnerability of Legacy MFA

Legacy MFA methods rely on user interaction or passcodes that can be intercepted or social-engineered:

  1. SMS and Voice codes: Vulnerable to SIM-swapping, where an attacker tricks a telecom provider into routing your phone number to their SIM card, or intercepting SMS tokens via network transit exploits.
  2. Standard Push Notifications: Susceptible to “MFA Fatigue” (or push spamming). The attacker logs in repeatedly late at night, generating dozens of push notifications until the exhausted user finally taps “Approve” to stop the alerts.
  3. OTP App Tokens (Google/Microsoft Authenticator): Easily stolen by modern “man-in-the-middle” phishing pages. The user types their 6-digit code into a fake login screen, and the attacker’s script instantly forwards it to the real server.

Transitioning to Modern, Secure MFA

To secure your workforce, identity architecture should shift toward two primary standards:

1. Number Matching (Frictionless Hardening)

If you use Microsoft Authenticator or Okta Verify, enforce Number Matching. When logging in, the browser displays a two-digit number. The user must type this specific number into their authenticator app. This completely eliminates MFA fatigue, as an attacker cannot guess the matching number, and the user cannot accidentally approve a prompt they didn’t initiate.

2. FIDO2 / WebAuthn (Phishing-Resistant MFA)

FIDO2 authentication uses physical security keys (like YubiKeys) or built-in device biometrics (Windows Hello, Apple Touch ID) to verify logins.

  • Why it is secure: FIDO2 credentials are bound to the specific domain name in the browser. If a user visits a fake login page (e.g. login.microsoft-sec.com), the security key detects that the domain does not match the registered credential and refuses to sign the challenge. This is currently the only form of MFA that completely defeats credential-stealing phishing kits.

Implementation Recommendations

Implementing phishing-resistant MFA does not have to happen overnight. We recommend a phased deployment:

  • Phase 1 (Immediate): Require FIDO2 keys or Number Matching for all IT administrators, executives, and users with access to bank details or financial systems.
  • Phase 2 (Medium Term): Enforce Number Matching for all staff members on office productivity suites (Microsoft 365 or Google Workspace).
  • Phase 3 (Long Term): Completely disable legacy telephony options (SMS/Voice codes) in your identity provider policies.

Identity security is an ongoing race. Hardening your entry portals today is the highest-value investment you can make to protect your organization’s data.

Need assistance implementing these controls?

Our fractional CISOs and security consultants are ready to help secure your organization.

Contact a Advisor or call 312.529.0672