Multi-Factor Authentication Doesn't Stop Phishing. Here Is What It Does

Multi-factor authentication is one of the most-recommended security controls in modern computing, and rightly so. The recommendation has produced a folk understanding that MFA “stops phishing.” That folk understanding is wrong, in a way that produces predictable failures.

This post is the honest read on what MFA does, what it does not do, and how to think about it in the actual phishing threat model.

What MFA Actually Does

MFA closes the credential-replay attack path. The mechanism:

• An attacker phishes a user’s password.
• The attacker tries to log in with the password.
• The login system requires a second factor (a code from an authenticator app, a hardware key tap, an SMS code).
• The attacker does not have the second factor.
• The login fails.

This is real value. Before MFA, a phished password equaled an account compromise. After MFA, a phished password is mostly useless to the attacker.

Industry data backs this up. Microsoft has reported that accounts with MFA enabled experience over 99% fewer compromise incidents than accounts without MFA. The defense is genuinely effective against the credential-only attack pattern.

What MFA Does Not Do

MFA does not prevent:

The phishing email from arriving. MFA is a login-time control. It has no effect on whether a phishing email reaches the user’s inbox.

The user from clicking the phishing link. MFA is downstream of the click. The user can still be deceived into clicking the link, entering credentials, and proceeding through the phishing workflow.

Wire fraud that does not require account compromise. A vendor-impersonation wire fraud where the user wires money to an attacker-controlled account does not require the attacker to log into anything. MFA is not relevant. We covered this in vendor impersonation: the quiet phishing vector nobody talks about.

Session-token theft. If an attacker steals a session cookie or refresh token (via malware, man-in-the-middle attacks, or browser exploitation), the session is already authenticated. MFA does not re-prompt because the session is valid.

Phishing proxies that intercept MFA. Tools like EvilProxy or Modlishka set up a phishing site that proxies the legitimate login flow in real time. The user enters their password and MFA code on the phishing site; the proxy forwards both to the real site, capturing the resulting session token. The attacker now has an authenticated session that bypasses MFA on subsequent requests.

SIM swapping for SMS-based MFA. SMS codes can be intercepted by an attacker who convinces the carrier to port the user’s phone number to the attacker’s SIM. Most major mobile carriers have implemented SIM-swap-resistance measures, but the attack is still tractable for high-value targets.

Push-fatigue attacks. When MFA is push-based (a notification on the user’s phone asking “approve this login?”), an attacker can trigger continuous push prompts hoping the user eventually approves one out of frustration. Some major breaches have used this technique successfully.

What This Means in Practice

The folk understanding “MFA stops phishing” produces two predictable failures.

Failure mode one: false confidence. Users with MFA enabled sometimes believe they are now safe from phishing and reduce their attention to other defenses. They click suspicious links more readily, fail to verify wire-transfer changes, and skip security training. The attacker who can bypass MFA (via session hijacking, proxy attacks, or wire fraud) exploits this confidence.

Failure mode two: under-investment in complementary defenses. Organizations that deploy MFA sometimes treat phishing as solved and reduce investment in inbox-layer filtering, awareness training, and procedural verification. The attack surface shrinks but does not close, and the residual risk often produces the most damaging incidents.

The accurate framing: MFA is one layer of defense among several. Each layer addresses a different part of the threat landscape. MFA closes the credential-replay path. Complementary defenses are required for the rest.

What MFA Hierarchy Looks Like in 2026

Not all MFA is equal. The current ranking from strongest to weakest:

Tier one: hardware-key MFA (FIDO2/WebAuthn). YubiKey, Google Titan, Apple FIDO2 in iOS 17+. The hardware key is bound to the legitimate site through cryptographic handshake. Phishing proxies cannot replay the authentication because the cryptographic challenge is site-specific. Currently the most resistant to all known phishing attacks.

Tier two: app-based MFA with phishing-resistant features. Microsoft Authenticator with number matching, Google Authenticator with the latest version, Authy with strong-account-protection enabled. Resistant to most attacks but vulnerable to real-time phishing proxies.

Tier three: standard TOTP-based MFA. Authenticator apps with simple 6-digit codes. Resistant to credential-only attacks but vulnerable to phishing proxies and push-fatigue attacks.

Tier four: SMS-based MFA. Better than nothing. Vulnerable to SIM swapping, SS7 interception, and number-port attacks. Increasingly considered insufficient for high-value accounts.

Tier five: email-based “MFA.” Not really MFA at all if the second factor goes to the same email account being protected. Useful only for accounts where the email account has its own strong MFA.

For high-value accounts (primary email, banking, business accounts), hardware-key MFA is the defensible choice. For everything else, app-based MFA with number matching is the practical floor.

What Defeats Even Hardware-Key MFA

Hardware-key MFA is currently the strongest factor available, but no defense is absolute. The remaining attack surface:

Account-recovery weakness. Many services allow recovery via SMS or email if the hardware key is lost. An attacker who can compromise the recovery channel can reset MFA without having the hardware key. Most services with strong security require multiple recovery factors or in-person verification, but coverage is uneven.

Session hijacking via malware. If the attacker has malware on the user’s machine, they can extract authenticated session cookies after the user has logged in. MFA does not protect against post-login session theft.

Social engineering of support staff. An attacker who can convince a service’s support team to reset MFA on the user’s account bypasses the technical controls. Major breaches have used this technique.

Coercion or compulsion. A user with hardware-key MFA who is physically coerced into authenticating defeats the technical control. This is a rare scenario but worth being aware of for high-risk individuals.

The trend in 2026 is toward pairing hardware-key MFA with additional behavioral protections (anomaly detection on login patterns, second-factor for high-value transactions, reauth-on-sensitive-action). The compounding defenses raise the bar substantially.

How Inbox-Layer Filtering Composes With MFA

MFA is a login-time control. Inbox-layer filtering is a delivery-time control. The two do not interfere with each other and address different parts of the threat lifecycle:

Inbox-layer filtering. Reduces the volume of unsolicited mail reaching the user. Mass phishing campaigns become uneconomical when each recipient costs four cents. Most credential-phishing attempts never reach the user because the campaign math collapses before delivery.

MFA. When a phishing email does reach the user and the user clicks and enters credentials, MFA prevents the attacker from using the credentials to log in. The credential is harvested but useless.

Verification protocols. When a wire-fraud email reaches the user, MFA is not relevant. The user is being asked to wire money based on fraudulent instructions. The defense is procedural: verify by phone before acting.

Awareness training. When a phishing email reaches the user, training reduces the chance the user clicks. The 60-80% reduction in click-through is meaningful when MFA failed or is not in play.

The combination of all four layers is what produces the lowest residual risk. MFA alone is necessary but not sufficient. Inbox-layer filtering alone is necessary but not sufficient. Both are needed; neither replaces the other.

A Specific Honest Note

MFA is one of the most valuable security controls in modern computing. Microsoft’s data on MFA-driven compromise reduction is real. Hardware-key MFA on your primary email account is the highest-impact single security action you can take.

What MFA does not do is “stop phishing.” Phishing arrives at the inbox before MFA is in play. Phishing exploits the user before the login happens. Phishing accomplishes wire fraud and account-recovery attacks where MFA is not relevant. Treating MFA as a complete answer leaves the attack surface open for the residual risks that produce most damage.

Rythm reduces the volume of phishing reaching the user, which compounds with MFA’s protection at the credential layer. The two layers together reduce the threat surface more than either alone.

For the related guides, see phishing awareness training: what it catches and what it misses, the anatomy of a modern phishing email, vendor impersonation: the quiet phishing vector nobody talks about, and what is BEC. For the broader frame, see why phishing emails are getting harder to spot in 2026. Rythm is $1.65 per month, cancel anytime.