Cybersecurity analysts have popularized the term “multi-factor authentication (MFA) bypass.” It now appears regularly in threat reports, vendor pitches, board presentations, and analyst briefings.  

According to recent industry findings, nearly one in three incidents last year involved credential theft. Infostealer delivery increased 84% year over year, and adversary-in-the-middle (AiTM) phishing kits are now sold as turnkey services on the Dark Web. The common framing across these tactics is that attackers bypass MFA.

They usually do not.

A help desk agent who resets an authenticator after a social engineering call is not bypassing MFA. An infostealer that lifts a session cookie from a browser’s local storage has not defeated the second factor. A device code phishing campaign tricking a user into authorizing an attacker’s device through a legitimate flow has not broken MFA. In each case, MFA may have worked exactly as designed. The attacker operated on a surface that MFA was never built to protect.

That distinction matters because it shapes security investments. If you call session theft an MFA bypass, the response is to buy a stronger factor. If you call it what it is, a post-authentication detection gap, the response shifts to session monitoring, token binding, and continuous risk evaluation. The misnomer keeps MFA at the center of a problem it cannot solve alone. It also understates the role of identity threat detection and risk mitigation across the rest of the attack chain.

The Identity Lifecycle Is Where Mature Programs Still Lose

The FBI Cyber Podcast conversation with Mandiant Chief Technology Officer Charles Carmakal is unusually direct about how Scattered Spider and similar groups operate. Attackers call service desks, impersonate employees, and request MFA resets or credential recovery. The success of the campaign depends on whether the agent approves the request without proper identity verification.

In a well-run program, that call should trigger identity proofing at roughly the same assurance level as the original enrollment. In most programs, it triggers a knowledge-based question, manager approval, or a policy that weakens under the pressure of a live call. 

An authenticator is only as strong as the workflow that provisions it and the workflow that recovers it. Those workflows are usually less monitored and more forgiving than the login itself. Modern social engineering campaigns exploit that gap.

What the industry calls “MFA bypass” actually describes four distinct problems. Each requires more than MFA to defend.

1. Adversary-in-the-middle relay

AiTM phishing kits such as Tycoon 2FA proxy the user’s session through attacker infrastructure in real time. The user sees a legitimate login page, completes a real MFA prompt, and receives a valid session. The attacker captures the session token as it passes through the proxy. The factor worked as designed, but the session artifact was intercepted in transit.

Phishing-resistant factors that bind to the relying party’s origin can block this vector. These are specified in the World Wide Web Consortium (W3C) Web Authentication Level 3 and supported through Fast Identity Online (FIDO2) passkeys. They won’t authenticate against a spoofed origin. Even so, defenses should also include detection of anomalous token usage.

2. Session and token theft after authentication

A February 2026 Microsoft Security blog post shows infostealer threats are expanding rapidly. These threats target browser session cookies and authentication tokens across multiple environments. A replayed cookie can grant access without triggering an authentication event.

The defense operates at the session layer. It includes device-bound tokens, continuous access evaluation, and detection of sessions that originate from new networks or devices.

3. Identity lifecycle exploitation

The FBI’s January 2025 discussion with Mandiant describes Scattered Spider operators who socially engineer MFA resets and credential recovery through service desks. The authenticator is revoked and reissued to the wrong person through a trusted workflow. The defense belongs in the recovery process. It requires identity proofing at the same assurance level as initial enrollment, along with identity threat detection that correlates help desk activity to subsequent privilege changes.

4. Identity enrollment fraud

If an attacker compromises an email address or phone number long enough to intercept an enrollment link, they can register a phishing-resistant credential on their own device. The factor itself is strong, but it becomes useless once an attacker controls it. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63A defines identity assurance levels to address this risk. Proofing methods must scale with the impact of a false identity claim. Without sufficient identity proofing during enrollment, organizations build strong authentication on weak foundations.

Identity Threat Detection Across the Chain

So, what should organizations consider when addressing the MFA bypass myth?

Phishing-resistant MFA is highly effective at protecting the login event. It prevents credential replay, blocks spoofed domains, and raises the bar against phishing. But attackers have adapted. Instead of targeting authentication directly, they focus on everything around it, including session tokens, account recovery workflows, help desks, and enrollment processes. In many cases, MFA works exactly as designed. The compromise occurs after authentication or through trusted administrative paths.

So stronger authentication factors are not enough. They address part of the problem while leaving other areas exposed.

Identity threat detection and risk mitigation fills that gap. It extends identity security beyond the login event and identifies suspicious behavior across the entire identity lifecycle. This includes:

• Session anomalies, such as tokens reused from new locations or infrastructure 
• Unusual MFA resets or password recovery requests 
• Privilege changes that follow help desk interactions 
• New device enrollments or authentication methods added under risky conditions 

Rather than assuming that a successful login reflects a legitimate user, identity threat detection continuously evaluates risk. It correlates risk signals across systems and surfaces patterns that indicate account takeover, even when MFA has been satisfied.

The Bottom Line

In short, phishing-resistant MFA is necessary, but not sufficient to address MFA bypass attacks. Organizations need visibility and detection across the full identity lifecycle, because that is where attackers now operate.