When attackers already have the keys, MFA is just another door to open

WHEN ATTACKERS ALREADY HAVE THE KEYS, MFA IS JUST ANOTHER DOOR TO OPEN

1. Introduction

• The breach landscape has shifted from“exploited vulnerabilities” to “operational inputs” that attackers can weaponize at scale.
• Even with MFA in place, authentication can still fail catastrophically if the attacker can obtain valid credentials and impersonate a legitimate user.
• This post unpacks how a credential exposure becomes a multi-step attack chain and why traditional MFA often cannot stop it.

1. The Figure breach: 967,200 email records exposed

• In early 2026, a financial services firm disclosed that nearly one million email addresses were exposed in a data breach.
• No single vulnerability was exploited, and no zero-day was required. The data was accessible, and the attackers gained value from it.
• The number of exposed records is not the event itself; it is the starting point for a downstream set of authentication failures and compromise attempts.

1. Attack chains opened by exposed email records

• Exposed addresses are not static data; they become operational inputs attackers can reuse immediately.

• Within hours, adversaries typically run several parallel workflows:

• Credential stuffing: Using leaked or commonly reused passwords across services, attackers test combinations against enterprise portals, VPNs, and identity providers at scale. The goal is to find valid credential pairs for members of the target organization.

• Targeted phishing: Modern phishing uses AI-assisted tooling to craft personalized messages that reference the organization by name, mimic internal communications, and resemble legitimate emails. Phishing can be highly convincing and tailored to a recipient’s role, department, or public data.

• Help desk social engineering: With a valid email and some surface-level OSINT, attackers call IT support to request password resets, MFA resets, or account unlocks, exploiting the human side of authentication.

• Across these workflows, no technical vulnerability is required. The aim is not to break in through a flaw but to login as a legitimate user by manipulating the authentication process itself.

1. Turning authentication into assurance

• Some security solutions promise to transform authentication into a stronger form of assurance, but the challenge remains that attackers can operate at the human–system boundary.
• A robust approach seeks to ensure that authentication decisions do not depend on the user making the right judgment under pressure or fatigue, especially when the prompt can be spoofed or relayed.

1. Why legacy MFA cannot interrupt this chain

• Real-time phishing relay attacks, also called adversary-in-the-middle (AiTM), subvert MFA prompts by placing a reverse proxy between the user and the real service.
• The user enters credentials on a spoofed page; those credentials are forwarded to the real site, which issues an MFA challenge. The relay forwards the challenge to the user, who responds as if authenticating to the legitimate service.
• The attacker benefits from the legitimate session, even though the user believes they are interacting with a trusted page.
• MFA modalities like push notifications, SMS codes, and time-based one-time passwords (TOTP) are vulnerable to relay and do not confirm the human behind the session.
• Automated toolkits that perform these operations are accessible and maintained, making advanced credential abuse a routine risk rather than a rare attack.

1. The structural problem legacy MFA cannot solve

• The common remediation—user education—is valuable but incomplete. It addresses user behavior, not the architectural vulnerability.
• Relay attacks do not rely on a user misstep; the MFA prompt itself can be authentic, presented through familiar software and devices.
• The core issue is whether the authentication architecture can prove that the authorized individual was physically present and verified at the moment of authentication.
• Device presence alone (like a phone or hardware token) does not equate to human presence. Conversely, proving human presence must not hinge on user actions that can be manipulated or bypassed.

1. What phishing-resistant authentication actually requires

• A widely discussed but insufficient solution is to adopt FIDO2/WebAuthn passkeys. While a meaningful improvement, passkeys alone do not solve all problems.

• For phishing-resistant authentication to be effective against relay attacks, three properties must align simultaneously:

• Cryptographic origin binding: the credential must be cryptographically tied to the exact origin domain; a spoofed site cannot produce a valid signature.

• Hardware-bound private keys: the signing key stays within secure hardware and cannot be exported or exfiltrated, so endpoint compromise does not expose the credential.

• Live biometric verification: a real-time check confirms that the authorized individual is physically present at the moment of authentication, not relying on static templates that can be replayed.

• When all three properties are present, the relay attack vector has no viable path. A compromised or spoofed site cannot complete a valid cryptographic exchange, and a relayed session cannot be reconstructed.

1. Token: cryptographic identity that verifies the human, not the device

• TokenCore’s approach is built around verifying the human, not merely the device, credential, or session.
• The platform combines enforced biometrics, hardware-bound cryptographic authentication, and proximity verification to ensure that access is granted only when all three conditions are satisfied.
• This design eliminates common bypasses: phishing cannot produce a valid signature on a spoofed domain, replay cannot recreate a session without the private key in secure hardware, and delegation becomes impossible because a live biometric match is required for every authentication event.
• The form factor is wireless, typically using Bluetooth proximity to confirm physical presence within a close range, with rapid authentication times.
• For environments with high-privilege access or regulatory requirements, this approach reduces the risk surface associated with traditional tokens and continuous user prompts.

1. The honest assessment

• Credential exposure-based attacks will continue to occur, producing downstream authentication challenges across organizations.
• The critical question is whether your authentication architecture relies on human judgment at a vulnerable moment or if it is designed so that human judgment cannot be the failure point.
• Legacy MFA places a human at the final decision point and is susceptible to manipulation under adversarial pressure. This brittleness has driven a need for architectural changes that remove human-based decision points from high-risk access.

1. See how a stronger approach closes the gap

• A phishing-resistant, device-agnostic, and human-verified authentication model aims to eliminate opportunities for attackers to exploit the login process.
• By binding credentials to exact origins, keeping signing keys within secure hardware, and requiring live biometric confirmation, organizations can reduce the risk of successful credential abuse.
• A wireless, proximity-based, hardware-backed solution can streamline legitimate access while raising the bar for attackers seeking to impersonate authorized users.
• In high-stakes environments—defense, finance, critical infrastructure—the combination of cryptographic strength, biometric assurance, and physical presence verification creates a much more robust barrier than traditional MFA alone.

1. Closing reflection

• The Figure breach illustrates a broader truth: the attack surface for authentication is evolving faster than defensive practices that rely on user prompts and static codes.
• To truly reduce risk, organizations must reassess authentication architecture itself, ensuring that security controls do not depend on the possibility of flawless human judgment.
• The future of secure access lies in systems that verify the human behind the credential, with cryptographic strength, hardware-backed keys, and live biometric validation working in concert to prevent unauthorized use—even when credentials have been exposed.