Multi-factor authentication (MFA) has become a cornerstone of Australian cyber defence. It features prominently in the Essential Eight maturity model and sits near the top of every ACSC advisory on protecting accounts. The logic is sound: even if an attacker steals a password, they still cannot log in without the second factor. In practice, however, MFA is increasingly being bypassed, and Australian IT teams that treat it as a solved problem are leaving significant exposure on the table.
What MFA actually stops
To understand where MFA fails, it helps to be clear about what it was designed to prevent. Standard MFA blocks credential-stuffing attacks, where stolen username and password pairs are tested at scale across popular services. It also stops basic phishing outcomes where a victim hands over only their password. In those scenarios, MFA genuinely works. An attacker with a valid password but no access to the second factor hits a wall.
The problem is that attackers have adapted. Several bypass techniques are now mature enough to be used in commodity attacks, not just by sophisticated nation-state actors. Australian organisations have felt the consequences in a string of incidents over the past few years, and the trend is worsening in 2026.
MFA fatigue: the social engineering layer
MFA fatigue, sometimes called push bombing, is the most widely observed bypass technique in Australia right now. It works against authentication systems that use push notifications: the attacker, who already has the victim's credentials, triggers a flood of approval requests to the victim's phone. Most people, when confronted with repeated prompts at odd hours, eventually tap "approve" just to make it stop.
The fix is not complicated in principle. Organisations should switch from simple push approvals to number-matching or additional context prompts, where the user must enter a code shown on screen rather than simply tapping a button. Microsoft Authenticator, Google Authenticator, and most enterprise identity platforms now support this. Yet many Australian deployments have not been updated, either because the rollout was done years ago and never revisited, or because the change was considered too disruptive to end users.
Phishing-resistant MFA goes further still. FIDO2 hardware keys (such as YubiKeys) and passkeys built into modern devices generate credentials that are cryptographically bound to a specific origin URL. An adversary-in-the-middle attack cannot replay them, because the key material is useless on any domain other than the one it was registered to. The ACSC has explicitly recommended phishing-resistant MFA for high-value accounts, and that guidance is worth taking seriously beyond just privileged admin roles.
Adversary-in-the-middle and real-time phishing
A more technically sophisticated bypass is the adversary-in-the-middle (AiTM) attack. Toolkits like Evilginx and Modlishka act as reverse proxies: the victim is directed to a convincing fake login page, enters their credentials and MFA code, and the attacker's proxy forwards everything to the real service in real time. The attacker captures the session cookie that results from a successful login and can reuse it without ever needing the password or MFA code again.
This technique is no longer exotic. It has been packaged into phishing-as-a-service kits available on criminal marketplaces and has been used in attacks against Australian financial services and government-adjacent organisations. The defence is layered: phishing-resistant MFA stops the credential relay, but organisations also need session token protections including short-lived tokens, device binding, and anomaly detection on session behaviour.
SIM swapping and SMS codes
SMS-based one-time passwords remain common in Australian consumer-facing services and are still found in some enterprise deployments. SIM swapping, where an attacker convinces a telco to transfer a victim's mobile number to an attacker-controlled SIM, can defeat SMS MFA entirely. The victim loses service and the attacker receives all incoming texts, including authentication codes.
Australian telcos have improved SIM swap controls in recent years, but the attack still succeeds regularly, often through social engineering of customer service staff. For enterprise environments, SMS MFA should be treated as a legacy configuration to be phased out rather than a baseline control. Authenticator apps offer a meaningful step up; FIDO2 keys offer the most robust protection available today.
How Australian organisations should respond
The practical response is not to abandon MFA; that would be worse. It is to treat MFA as one layer in a defence-in-depth posture rather than a standalone control. A few concrete actions matter most.
- Audit your MFA methods by account tier. Privileged accounts, those with access to sensitive data, cloud management consoles, or administrative functions, should use phishing-resistant MFA. If they currently use push notifications or SMS, that is a gap worth prioritising.
- Enable number matching on push-based MFA. This one change significantly raises the bar against MFA fatigue attacks and requires minimal end-user retraining.
- Review session token lifetimes and binding policies. Long-lived, unbound session tokens are the prize AiTM attacks are hunting for. Shorter lifetimes and Conditional Access or equivalent policies tied to device compliance reduce the window of opportunity.
- Correlate MFA events in your SIEM. Repeated failed push requests, approvals at unusual hours, or logins from unfamiliar locations immediately after an MFA event are detectable signals. Many organisations collect these logs but have not built alerts around them.
- Include MFA bypass scenarios in tabletop exercises. Teams that have not thought through how an AiTM attack would play out in their environment will be slower to recognise and respond to one when it happens.
The identity layer sits at the heart of most modern attack chains in Australia. Identity-based attacks have overtaken network-layer intrusions as the dominant initial access technique, and MFA bypass is a critical enabler. That does not make MFA a failed control. It makes a poorly configured or outdated MFA deployment a false sense of security, which is potentially more dangerous than knowing you have a gap.
The broader picture for 2026
The ACSC's position has evolved alongside the threat. Guidance now distinguishes between MFA that is phishing-resistant and MFA that is merely present. Australian organisations working toward Essential Eight Maturity Level 2 or above need to understand that difference clearly, because an auditor assessing your MFA posture is no longer satisfied by confirming that MFA is turned on. The question is whether the implementation actually holds up against the attacks being used right now.
For most Australian IT teams, the practical priority is a short, honest audit of where MFA is deployed, what methods are in use, and which accounts are most exposed to bypass techniques. That audit rarely reveals a need to rip everything out. More often, it surfaces a handful of specific configurations that can be tightened without significant disruption, and a clearer picture of where privileged account controls need to be taken more seriously.