Legacy MFA approaches such as SMS-based OTPs were once reliable, but cybercriminals are now using more advanced techniques to circumvent these systems. SIM swapping, phishing and man-in-the-middle (MitM) attacks allow attackers to intercept verification codes and gain unauthorised access even when legacy MFA is in place. In many cases, the methods used to extract OTPs or credentials from users are sophisticated enough to bypass SMS-based MFA protections entirely, rendering these traditional security measures obsolete.
Additionally, legacy MFA often relies on passwords as one of its primary factors, which introduces serious vulnerabilities. When passwords are used alongside MFA, any endpoint incapable of handling MFA becomes a weak link in the security chain. Attackers target these endpoints, knowing that they’re effectively unprotected. Moreover, users tend to create simpler, easier-to-guess passwords when they rely on MFA, inadvertently weakening their defenses. This simplicity makes it easier for attackers to brute-force credentials, leaving unprotected endpoints open to exploitation and making MFA less effective overall.
With the advent of push-based MFA to replace SMS, MFA bombing and MFA fatigue became the new problems and new problematic aspects of traditional approaches to MFA.
CISA's recommendations highlight the risks of relying on legacy MFA, which has proven to be the most common point of failure in ransomware incidents. With phishing attempts now highly refined by tools such as generative AI, cybercriminals can create convincingly authentic emails and messages that even the most trained users struggle to detect. The inherent weaknesses of traditional MFA methods, combined with the rise of phishing attacks enabled by generative AI, make it clear that traditional MFA can no longer effectively protect against today's cyber threats.