"MFA Makes Us Safe" — What Multi-Factor Authentication Does and Doesn't Protect Against

Your IT team tells you MFA is enabled. The FTC requires it. You've checked the box. So why does it feel like there's still something missing?

Here's the thing: Microsoft's data shows that MFA blocks 99.9% of automated attacks. That statistic is real, and it's genuinely impressive. But the other 0.1% is where sophisticated attackers operate. For CPA firms handling sensitive client financial data, inheritance accounts, and tax returns, that tiny slice of the threat landscape matters a lot. In 2025, token theft alone accounted for 31% of all Microsoft 365 breaches. And here's the uncomfortable part: 79% of business email compromise cases involved organizations that already had MFA properly implemented.

MFA isn't failing because your IT provider did it wrong. It's working exactly as designed. The issue is that MFA is one layer of security, and sophisticated attackers have learned to work around it. Understanding how requires understanding what MFA actually does and doesn't protect against.

What MFA Actually Protects Against

Give MFA credit where it's due. It stops credential stuffing, where attackers use automated tools to test millions of stolen passwords against your systems. It blocks brute force attacks, where someone tries to guess your password by throwing thousands of attempts at your login page. It makes basic phishing far less effective.

The FTC Safeguards Rule requires MFA for a reason (16 CFR 314.4). Your IT team was absolutely right to implement it. Without MFA, your firm is a sitting duck for these high-volume, low-effort attacks. This is foundational security. Non-negotiable. But it's the foundation, not the ceiling.

Where MFA Falls Short

The workarounds fall into three categories that you need to understand.

MFA Fatigue happens when an attacker has your password and knows it's protected by MFA. They're not trying to guess anything. They simply log in with your correct credentials, triggering an approval notification on your phone. When you see "Approve login from Seattle?" pop up, you might approve it automatically without thinking. But what if the attacker sends ten notifications in a row? Or twenty? At some point, someone taps approve just to make it stop. In 2022, an 18-year-old breached Uber using exactly this technique. He sent dozens of push notifications until an exhausted employee approved one. The attacker was inside, and MFA didn't stop him.

Fake login pages, technically called "adversary-in-the-middle" attacks, work like this: an employee gets a link that looks identical to your firm's Microsoft login page. They enter their password. They enter their MFA code. Both are captured in real-time by an attacker sitting between them and the real site. The attacker then uses those credentials to log in before the real code expires. Tools like Evilginx automate this process. Research shows 80% of major web services are vulnerable to these attacks. Your MFA code is real and legitimate, but the attacker got it before it mattered.

Session token theft is the one that catches most firms off guard. Here's what happens: you log in with your password and MFA code. Your browser receives a "session token," a small file that proves you already authenticated. As long as you have that token, you can access your email, documents, and financial systems without logging in again. That token is valuable. If an attacker steals it through a malicious browser extension, a compromised device, or other means, they can use your account without ever needing your password or MFA code. This accounted for 31% of Microsoft 365 breaches in 2025. You passed through MFA successfully. The attacker just took the ticket on the other side.

Not All MFA Is Created Equal

Your firm probably uses SMS codes. They work, but they're the weakest form of MFA. SMS can be intercepted. It's also vulnerable to SIM swapping, where someone impersonates you to your phone provider, transfers your phone number to a new SIM card, and intercepts your codes. The FBI received 982 SIM swap complaints in 2024 with over $26 million in reported losses. In March 2025, T-Mobile agreed to pay $33 million to settle cases where SIM swaps enabled cryptocurrency theft.

Authenticator apps like Google Authenticator or Microsoft Authenticator are significantly better. Time-based codes are harder to intercept than SMS. Apps like number matching, which shows you the login location and makes you verify it matches your app, make MFA fatigue attacks much less effective.

Hardware security keys, like YubiKey, are the gold standard. They verify you're actually logging into the real website, not a fake page. Adversary-in-the-middle attacks don't work against them. CISA recommends phishing-resistant MFA like FIDO2 for this reason. Most CPA firms should at minimum upgrade from SMS to an authenticator app today.

What You Can Do Today

1. Verify MFA is enabled everywhere. Not just email. Your accounting software, your document management system, your client portal, your bank login. Ask your IT provider for a complete audit. One unprotected system is a backdoor for the attacker.

2. Ask what type of MFA you're using. If it's SMS, schedule a conversation with your IT provider about moving to authenticator apps or hardware keys. This isn't optional anymore.

3. Enable number matching if your system supports it. This feature shows employees the login location and makes them confirm it matches where they intended to log in. It makes fatigue attacks significantly harder to execute.

4. Train your team to question unexpected login prompts. If someone sees an approval notification they didn't initiate, it's a rejection, not a pause. No exceptions. A culture of instant approvals is how you get breached.

5. Review browser extensions on firm devices. Extensions can steal session tokens. Disable anything that isn't mission-critical. Have a clear policy for what your team can and cannot install.

The Bottom Line

MFA is essential. It's required by the FTC. It's effective against the vast majority of threats. But it's the floor, not the ceiling. Attackers know MFA is everywhere now, so they've learned to work around it. That doesn't make MFA pointless. It makes MFA foundational.

Complete security comes from layers. MFA plus authentication method upgrades. Plus user training. Plus device security. Plus monitoring for suspicious access patterns. Plus regular backups. Plus incident response planning. At SafeGuardGRC, we help CPA firms think about security this way because one strong password, or even one strong MFA implementation, isn't enough. Your data deserves better than a single layer between it and someone else's hands.