MFA Fails When Attackers Have Your Credentials

The recent Figure data breach, which exposed nearly 967,200 email records without exploiting a single vulnerability, reveals a fundamental architectural weakness in modern cybersecurity. This incident underscores a critical reality: when attackers possess valid credentials, traditional multi-factor authentication (MFA) often fails to provide a meaningful defense. The true risk begins not with the data exposure itself, but with the sophisticated attack chains it enables, which are designed to bypass conventional security controls entirely.

Following such a breach, adversaries activate several parallel workflows. The first is credential stuffing, where automated tools test exposed email addresses against known password databases from past breaches. Success rates typically range from two to three percent, potentially yielding tens of thousands of valid login pairs from a list this size. The second is AI-generated phishing, where tooling crafts highly personalized, convincing messages in minutes. The third is help desk social engineering, where attackers use basic information to impersonate employees and request account resets. In each case, the goal is not to break in technically, but to log in legitimately, leveraging the authentication system against itself.

Legacy MFA solutions are structurally incapable of interrupting this chain. Attackers now routinely deploy real-time phishing relay attacks, also known as adversary-in-the-middle (AiTM) attacks. Using publicly available toolkits, they position a proxy between the victim and a legitimate service. When a user enters credentials and an MFA code on the spoofed site, the proxy forwards everything in real time, capturing a fully authenticated session. Methods like push notifications, SMS codes, and authenticator apps are all vulnerable because they verify only the exchange of a code, not the presence of the authorized person. This is compounded by MFA fatigue attacks, where repeated push notifications are sent until a user accidentally approves one.

The standard industry response of user education is insufficient. In a relay attack, the MFA prompt a user receives is genuine, coming from the real service through their normal app. There is nothing suspicious to detect. The core architectural flaw is that most authentication systems were not built to answer the essential question in a post-breach world: can you prove the authorized individual was physically present and biometrically verified at the exact moment of login? Push notifications, SMS, and time-based one-time passwords (TOTP) cannot answer this. Even hardware tokens only prove device possession, not human presence.

Achieving truly phishing-resistant authentication requires three properties to exist simultaneously. First, cryptographic origin binding ensures a credential is mathematically tied to a specific domain, so a spoofed site cannot generate a valid signature. Second, hardware-bound private keys that never leave secure storage prevent credential exfiltration. Third, live biometric verification confirms the authorized person is physically present. When these elements combine, relay attacks have no viable path. The adversary cannot replicate the session, use a stolen device, or socially engineer an approval.

This is the principle behind a modern biometric assured identity platform. It verifies the human, not the device or session, by enforcing live biometrics, hardware-bound cryptography, and physical proximity checks for every authentication event. There is no fallback code or help desk override. If the authorized individual is not present and verified, access is not granted. This approach directly eliminates the risks from credential stuffing and phishing, as a spoofed page cannot produce a valid signature and a relayed session cannot be reconstructed.

For high-risk environments where authentication failure is not an option, this architectural shift is critical. The continuous operational threat from exposed data requires controls that do not rely on human judgment as the final decision point. The question is no longer if these attacks will be attempted, but whether your authentication foundation will hold when they are. Moving beyond legacy MFA to a system that cryptographically verifies human presence is the necessary evolution to close this security gap.