MFA is the single most effective control against account compromise -- and the most frequently targeted. Not all MFA is equal. Push notifications, TOTP codes, and SMS are all bypassable. Only phishing-resistant MFA actually defeats modern attacks.
| Method | How it works | AiTM bypass | Push fatigue | SIM swap | Phishing-resistant |
|---|---|---|---|---|---|
| SMS OTP | One-time code sent via text message; user types it during login | Defeated | Not applicable | Defeated | No |
| TOTP Authenticator App | Time-based 6-digit code from an app (Google Authenticator, Microsoft Authenticator); changes every 30 seconds | Defeated | Resistant | Resistant | No |
| Push Notification | App sends push to phone; user approves or denies with one tap | Defeated | Vulnerable | Resistant | No |
| Push with Number Matching | User must enter a number shown on the login screen into the app (defeats blind approval) | Defeated | Mitigated | Resistant | No |
| FIDO2 / Passkeys | Cryptographic key pair stored on device; authentication binds to the specific domain origin -- cannot be relayed to a different domain | Defeated | Defeated | Resistant | Yes |
| Hardware Key (YubiKey) | Physical FIDO2 device; same cryptographic binding as passkeys but requires physical possession of the hardware token | Defeated | Defeated | Defeated | Yes |
AiTM bypass: The attacker's proxy relays the MFA challenge to the victim's device and the victim's response back to the server. The victim successfully completes MFA -- but the proxy captures the resulting session cookie. MFA worked perfectly; the problem is that it only protects the login, not the session that results from it. TOTP codes and SMS OTPs are relayed by the proxy in real time within the 30-60 second validity window. Push MFA is approved by the victim and the resulting session is captured.
Push MFA fatigue: The attacker repeatedly initiates sign-in attempts. Each attempt sends a push notification to the victim's phone. After receiving many push notifications, a user may accidentally approve one, approve it to make the notifications stop, or become confused about whether the notifications are legitimate. The ATO-002 scenario at Ficsit Inc. involved m.blake receiving 22 push notifications over 90 minutes before one was accidentally approved at 02:17 AM.
SIM swapping: The attacker social-engineers the victim's mobile carrier to transfer the victim's phone number to a SIM card the attacker controls. All SMS and voice calls -- including OTP codes -- then go to the attacker's phone. Effective against SMS MFA. Does not affect authenticator apps, push MFA, or hardware keys.
Why FIDO2 passkeys resist all of these: When registering a FIDO2 passkey, the browser records the origin of the site. At authentication time, the cryptographic challenge is bound to that specific origin. An AiTM proxy operating at a different domain cannot forward this challenge to the legitimate site and get a valid response -- the binding fails. Push fatigue is not possible because there are no push notifications. SIM swapping is irrelevant because FIDO2 does not use SMS.
| Where to look | What you will find |
|---|---|
| ATO-002 scenario | m.blake MFA fatigue attack: 22 push notifications, approval at 02:17, account takeover |
| Identity tool | Sign-in logs showing the push MFA approvals and the resulting authenticated session |
| AiTM Phishing concept | How AiTM specifically bypasses push and TOTP MFA by proxying the full auth flow |