Updated: 02 Apr 2026
For years, multi-factor authentication (MFA) has been the first answer CISOs reach for when asked how their organisation protects user identities. Implement MFA, the logic goes, and you have closed the single biggest door attackers walk through: stolen credentials.
That logic was sound. But sadly, no longer sufficient.
Attackers have not stopped targeting MFA-protected accounts. They have simply stopped trying to defeat MFA the hard way. Instead, they intercept sessions, exhaust users into approving requests, and extract tokens that were generated after a successful authentication. The result is the same: a compromised account, in an organisation that had MFA switched on the whole time.
What is phishing-resistant MFA? Phishing-resistant MFA is an authentication method that uses device-bound cryptographic key pairs, tied to a specific domain, that cannot be intercepted, relayed, or replayed by an attacker, even when the user is actively deceived by a convincing fake login page. Unlike traditional MFA, which operates at the human layer, phishing-resistant MFA provides protection at the cryptographic layer. The authentication either succeeds against the legitimate domain or it does not proceed at all.
This is not a theoretical problem. The tooling is cheap, widely available, and requires no deep technical expertise to deploy. Here are the four techniques driving the majority of MFA bypasses in enterprise environments today.
1. Adversary-in-the-Middle (AiTM) Attacks
AiTM is now the dominant technique, and it is industrialised. Using phishing-as-a-service platforms — most prominently Tycoon, Evilginx, and Graphish — attackers deploy a reverse proxy between the user and the legitimate login page. The user enters their credentials and completes the MFA challenge. Everything appears normal. The proxy has already captured the authenticated session token, which the attacker uses to access the account without ever needing the password or the MFA code.
In 2025, Proofpoint identified the Tycoon platform alone as having compromised accounts across more than 900 Microsoft 365 environments, with a confirmed success rate exceeding 50% against targeted accounts. Microsoft's own security research shows AiTM attacks are a direct and growing consequence of wider MFA adoption: as more organisations lock down with MFA, attackers route around it rather than through it.
The critical point is this: the user did everything correctly. They entered their password. They approved the MFA request. The attacker got in anyway. Standard MFA provides no defence against this attack class.
(Sources: Proofpoint Threat Insight, 2025; Microsoft Security Blog, May 2025)
2. MFA Fatigue (Push Bombing)
This one is simpler, and arguably more alarming because of how reliably it works. An attacker who has obtained a user's credentials sends repeated MFA push notifications to that user's phone — one after another, at any hour — until the user taps Approve out of confusion, fatigue, or a desire to make the noise stop.
This is not theoretical. It is precisely how Uber was breached in 2022. Lapsus$ made the technique famous. Dozens of derivative threat groups adopted it immediately. Any organisation running standard push-based MFA without additional controls is exposed to this attack right now.
3. Session Token Theft
Infostealer malware families do not attempt to capture passwords as they are typed. They extract authentication tokens already present in browser memory — tokens generated after a successful MFA event. With a valid session token, an attacker accesses corporate applications without triggering any authentication prompt at all.
This severs the link between MFA and account security entirely. The attack succeeds after authentication, not during it. According to Datadog's 2024 State of Cloud Security report, credential-related breaches — many involving stolen session tokens — extend average breach detection and containment timelines to 292 days.
(Source: Expert Insights MFA Statistics, 2025)
4. SIM Swapping and SMS Interception
For organisations still relying on SMS-based one-time passwords, SIM swapping remains an active and effective attack vector. By convincing a mobile operator to transfer a victim's number to an attacker-controlled SIM, or by exploiting vulnerabilities in the SS7 signalling protocol, attackers redirect OTPs to a device they control. This is particularly relevant in India, where SMS-based authentication remains widely deployed in BFSI environments.
FIDO2 hardware keys are domain-bound and cryptographically verified — they are the only authentication method currently assessed as providing full protection against AiTM attacks. No intercepted token, no captured OTP, no social engineering path exists.
(Source: CaptainDNS Phishing Statistics 2025–2026)
India's threat exposure is not average. The country consistently ranks among the most targeted globally, and 2025 has sharpened that pattern considerably. The AIIMS Delhi breach, the SPARSH portal compromise, and the M&S breach — executed through social engineering of helpdesk staff — are data points in an accelerating trend, not isolated incidents.
The regulatory environment is tightening simultaneously, and in ways that make stronger authentication a compliance matter, not merely a best practice.
CERT-In mandates incident reporting within six hours and requires organisations to maintain detailed logs of authentication activity. A credential compromise routed through bypassed MFA is precisely the class of breach this obligation was designed to capture — and that phishing-resistant authentication prevents.
RBI's cybersecurity guidelines for banks and NBFCs set progressively stringent requirements for identity verification and access control. SMS-based OTPs, still deployed at many financial institutions, do not satisfy the spirit of these requirements as the guidelines evolve.
DPDP (Digital Personal Data Protection Act) creates direct accountability for personal data breaches. Since account takeover via credential theft is among the leading causes of such incidents, demonstrating robust authentication controls is becoming part of the compliance narrative that auditors expect.
SEBI's Cybersecurity and Cyber Resilience Framework similarly drives requirements for strong authentication across the capital markets infrastructure.
Enterprises with manufacturing operations face a distinct dimension of this problem. As OT and IT environments converge — with plant floor systems, SCADA platforms, and ERP applications increasingly interconnected — the authentication perimeter expands significantly. Vendor access, remote monitoring, and shift handover processes all create authentication moments that attackers can and do target. Phishing-resistant MFA is not a corporate IT requirement alone; it is increasingly a plant floor imperative.
Understanding why phishing resistance matters is the easy part. Deploying it across a complex enterprise is where most organisations stall — hardware procurement, FIDO2 infrastructure, migration planning, and user adoption. Cisco Duo is designed for this transition, offering a layered path to full phishing resistance without leaving gaps during the journey.
Verified Duo Push is the most immediate improvement over standard push-based MFA. Rather than a simple approve/deny notification — which push bombing defeats trivially — Verified Push requires the user to enter a numeric code displayed on the login screen into the Duo Mobile app. A remote attacker cannot complete this step. This closes the fatigue attack vector without requiring new hardware or devices.
Proximity Verification uses Bluetooth Low Energy to confirm that the authentication device and the access device are physically co-located. An attacker running an AiTM campaign from a different geography cannot satisfy this requirement. It provides protection equivalent to FIDO2 for environments where hardware security keys are not yet deployed, using Duo Mobile that many organisations already have in place.
FIDO2 and WebAuthn authenticators — platform biometrics, including Windows Hello, Face ID, and fingerprint sensors, as well as roaming hardware keys — provide the strongest authentication available. Duo's support for FIDO2 is comprehensive, and its management layer makes enrolling and administering these authenticators practical at enterprise scale. Critically, most modern endpoints already support platform-based FIDO2. This is not a large hardware procurement exercise; for the majority of users on current devices, it is a configuration and policy decision.
Adaptive Authentication applies contextual risk signals to close gaps even where a traditional factor is used. Unfamiliar device, anomalous location, unusual access time, compromised device posture — Duo's policies can step up authentication requirements when signals indicate elevated risk, without creating friction for normal access patterns.
Organisations rarely need to replace their entire authentication infrastructure at once. The most effective migrations are sequenced by risk, not applied uniformly. After deploying Cisco Duo across manufacturing, BFSI, and IT/ITeS enterprises across India, this is the framework Proactive uses to move organisations from exposed to protected without disruption.
Step 1: Authentication Audit: Map every application, user population, and authentication method currently in use. The goal is a clear picture of where SMS OTPs are deployed, where standard push is running, and where legacy factors — or no MFA at all — still exist. This is often more complex than IT teams expect, particularly in environments with both cloud and on-premise applications.
Step 2: Risk Tiering: Classify users and applications by access risk. Privileged accounts — administrators, executives, anyone with access to financial systems, sensitive data, or operational infrastructure — represent the highest priority. External users, contractors, and vendor access represent a second tier. Standard users come third. This tiering determines sequencing, not eligibility. Every user needs phishing-resistant MFA eventually; this step determines who gets there first.
Step 3: Migration Sequencing: Define a Duo-specific rollout order that minimises disruption and maximises early risk reduction. For most enterprises, this means enabling Verified Duo Push immediately as a universal baseline, deploying FIDO2 for Tier 1 users in the first phase, and extending progressively through the population. This approach delivers meaningful risk reduction within weeks, not months.
Step 4: Policy Binding: Tie Duo's device trust and adaptive access policies to the organisation's broader zero trust framework. Authentication is the entry point; what happens after authentication — whether the device is compliant, whether the access context is legitimate, whether the session behaves normally — is where the broader security posture is defined.
Want us to run this assessment for your organisation? Write to us at [email protected] to speak to a Cisco Duo expert
The most common reason organisations delay stronger authentication is concern about user experience. This objection deserves a direct answer.
Windows Hello authenticates with a facial recognition scan. Face ID on an iPhone takes under a second. A hardware security key requires a single tap. Verified Duo Push adds the step of entering a short code — a modest addition that eliminates an entire attack class. Once users have completed an enrolment they do once, the day-to-day experience is frequently faster than the username, password, and OTP workflow it replaces.
The friction argument also looks different when viewed from the other direction. What is the experience of being the person whose credentials were used to breach their employer's environment? What is the business cost of a breach investigation, regulatory notification, and remediation process — all triggered by an attack that phishing-resistant authentication would have stopped at the proxy layer?
The question is not whether stronger authentication creates friction. The question is which kind of friction the organisation is prepared to accept.
The attack tooling is not standing still. In April 2025, Proofpoint detected AiTM campaigns that successfully bypassed the email security controls of six major vendors simultaneously — including three ranked as leaders in Gartner's Magic Quadrant for Email Security Platforms. The kits are evolving faster than perimeter defences are. Phishing-resistant authentication is the control that operates independently of whether the email got through, the link looked legitimate, or the user made the right decision.
CISA, the UK's NCSC, and India's CERT-In have all moved in the same direction: phishing-resistant MFA is the designated standard for high-value authentication. The direction of travel is not ambiguous. The only variable is how long each organisation takes to get there — and what happens in the gap.
Proactive Data Systems is a Cisco Preferred Partner in India, operating across Delhi NCR, Mumbai, Bangalore, Pune, and Hyderabad. Our security architects work with CISOs and IT leaders in Manufacturing, BFSI, and IT/ITeS organisations to design and implement phishing-resistant authentication strategies that fit your infrastructure, your users, and your compliance requirements — not a generic playbook.
To understand what a Cisco Duo deployment looks like for your organisation specifically, speak with our team. Write to [email protected] today.
We'll get back to you shortly.
