Technical Analysis

Beyond passwords & MFA: the authentication layer that's still missing

Q: What attacks can bypass MFA?

Known MFA bypass techniques include real-time phishing proxies (EvilGinx2, Modlishka) that capture session tokens, MFA fatigue/push bombing where users approve fraudulent prompts out of exhaustion, SIM swapping that redirects SMS codes, and SS7 interception of voice/SMS channels. Microsoft reports that token theft increased 111% in 2023.

Q: What comes after passwords and MFA?

The next layer of authentication must verify human identity between people, not just system access. Peer-to-peer authentication uses cryptographic TOTP codes generated from shared secrets stored on physical devices. It works across any communication channel — voice, video, text, in person — and cannot be bypassed by AI synthesis or session hijacking because the verification is between two humans, not a human and a system.

Q: Are passkeys better than MFA?

Passkeys (FIDO2/WebAuthn) are significantly more phishing-resistant than traditional MFA for system login. However, like MFA, passkeys authenticate a person to a platform — not to another person. Passkeys cannot verify the identity of a caller, a video participant, or the sender of a text message. They solve the login authentication problem; they do not solve the human impersonation problem.

Passwords were designed for mainframes. MFA was designed for web logins. Neither was designed for a world where AI can clone your voice, wear your face, and impersonate you in a live video call. The next authentication layer must verify people, not accounts.

The Evolution of AuthWhat Is P2P Auth?

99.9%

of compromised accounts did not use MFA (Microsoft)

111%

increase in token theft attacks in 2023 (Microsoft)

$2.9B

lost to BEC — an attack MFA cannot prevent (FBI IC3)

78%

of MFA fatigue attack attempts succeed (Proofpoint)

The evolution of authentication

Each era of authentication solved the most pressing security problem of its time. Each was eventually outpaced by the threat landscape. We are now at the boundary of the third era — and the fourth is beginning.

1960s–2000sBroken at scale

The Password Era

Something you know

Passwords were the first digital authentication mechanism, originating in MIT's Compatible Time-Sharing System in 1961. For four decades, they were the only widespread method. By 2024, the average person manages over 100 passwords. The Verizon DBIR consistently finds that over 40% of breaches involve stolen or weak credentials. Password reuse rates exceed 60% across consumer populations.

2005–2020Bypassable and incomplete

The MFA Era

Something you know + something you have

Multi-factor authentication added a second verification layer — typically SMS codes, authenticator apps, or hardware tokens. Microsoft found that 99.9% of compromised accounts didn't use MFA, proving it raises the bar significantly. But MFA protects the login event, not the session or the human interaction. Real-time phishing proxies, MFA fatigue attacks, and SIM swapping now bypass MFA at scale.

2020–presentPhishing-resistant but scope-limited

The Passkey & Biometric Era

Something you are + something you have

FIDO2/WebAuthn passkeys and device biometrics represent the most phishing-resistant login authentication available. They eliminate passwords entirely for system access. But they still only authenticate a person to a platform. They cannot verify identity over a phone call, in a text message, or on a video conference. The threat model has moved beyond login.

NowThe missing layer

The Peer-to-Peer Authentication Era

Cryptographic proof between two people

Peer-to-peer authentication verifies a person to another person — not to a system. Using shared TOTP secrets stored on each party's physical device, P2P auth provides cryptographic proof of identity across any communication channel: voice, video, text, email, or in person. It is immune to deepfakes, AI voice cloning, and social engineering because it doesn't depend on what someone looks or sounds like — only on a rotating code that cannot be forged.

Documented MFA Bypass Vectors

Five ways attackers already bypass MFA

These are not theoretical vulnerabilities. Each technique has been used in documented, high-profile breaches. MFA raises the floor — but the ceiling has been reached.

Real-time phishing proxies

Tools like EvilGinx2 and Modlishka act as transparent proxies between the victim and the real login page. The user enters their credentials and MFA code — the proxy captures the resulting session token in real time. The attacker inherits a fully authenticated session. No amount of MFA complexity prevents this; the attack captures the output, not the input.

Used in the 2022 Twilio breach, Uber breach, and Cloudflare attack attempt.

MFA fatigue / push bombing

Attackers trigger dozens or hundreds of MFA push notifications to a target's device. Exhausted or confused, the victim eventually approves one — granting full access. Proofpoint research indicates that 78% of organizations experienced MFA fatigue attacks in 2023, and the success rate is disturbingly high.

Used in the 2022 Uber breach. The attacker sent push notifications until the employee approved.

SIM swapping

Attackers social-engineer mobile carriers into transferring a victim's phone number to a new SIM. All SMS-based MFA codes are then delivered directly to the attacker. The FBI IC3 reported $68 million in SIM-swapping losses in 2021, and incidents have accelerated since.

High-profile SIM-swap attacks against cryptocurrency holders, journalists, and executives.

Social engineering past MFA

The attacker calls the target posing as IT support, a bank, or a colleague — then asks them to read out their MFA code, approve a push notification, or click a link that initiates a session. The human is the bypass vector. MFA does not authenticate the identity of the person requesting the code.

Common in vishing (voice phishing) campaigns targeting corporate employees and consumers.

Token theft & session hijacking

Once MFA is completed, the resulting session token can be stolen via malware, browser extensions, or cross-site scripting. Microsoft documented a 111% increase in token theft attacks in 2023. The authentication is valid; the session is stolen after the fact.

Documented in Microsoft's 2023 Digital Defense Report as a rapidly growing attack vector.

The structural blind spot: MFA doesn't verify people

Every MFA bypass technique above is technically interesting. But they obscure the larger, more fundamental limitation: MFA was never designed to verify the identity of a person to another person.

Consider the attacks that cost the most money. The FBI IC3 reports that business email compromise caused $2.9 billion in losses in 2023. In a BEC attack, the attacker sends an email from the CEO's actual account — which passed MFA at login — requesting a wire transfer. The recipient has no mechanism to verify that the person behind the email is actually the CEO. MFA authenticated the account access; it says nothing about who is using the account.

Or consider deepfake video calls. In January 2024, a Hong Kong multinational lost $25 million after an employee participated in a video call with AI-generated deepfakes of the CFO and multiple colleagues. No MFA system in existence can verify whether a person on a video call is real. The call wasn't a login event — it was a human interaction. MFA has no jurisdiction.

This is not a failure of implementation. It is a limitation of architecture. MFA authenticates a person to a system at the point of login. It does not authenticate a person to another person across arbitrary communication channels. The attacks that are growing fastest and costing the most operate in exactly this gap.

What MFA protects

System login events
Account access control
Platform authentication
Session initiation

What MFA cannot protect

Phone call identity
Video call identity
Text/email sender identity
In-person impersonation

The next authentication layer doesn't replace MFA.
It protects where MFA can't reach.

MFA remains essential for system login security. But it operates at the system boundary — and the most dangerous attacks have moved past that boundary into human-to-human interactions. Peer-to-peer authentication extends the principle of cryptographic verification to the one context no other system addresses: verifying the identity of one person to another.

The technology is not new. TOTP — the algorithm behind Google Authenticator and every major MFA app — is defined in RFC 6238. What is new is its application: instead of proving your identity to a server, you prove it to a person. The shared secret lives on two devices. The code rotates every 30 seconds. No server, no AI, and no deepfake can forge it.

Read the full P2P Authentication analysis

Frequently asked questions

Why is MFA not enough for modern security?

MFA authenticates access to accounts by verifying something you know and something you have. It does not verify the identity of a person in a conversation. The most expensive modern attacks — BEC ($2.9B), deepfake calls ($25M single incident), vishing — succeed by impersonating trusted people, not by breaking into accounts. MFA provides no protection because these attacks don't involve a login event.

What attacks can bypass MFA?

Documented bypass techniques include real-time phishing proxies (EvilGinx2) that capture session tokens, MFA fatigue/push bombing (used in the 2022 Uber breach), SIM swapping that redirects SMS codes ($68M in FBI-reported losses), and token theft (111% increase in 2023 per Microsoft). These are not theoretical — each has been used in major breaches.

Are passkeys better than MFA?

For system login, yes. Passkeys (FIDO2/WebAuthn) are phishing-resistant and eliminate passwords. Google reported 0 successful phishing attacks against security key users. But passkeys authenticate a person to a platform — they cannot verify the identity of a caller, video participant, or message sender. They solve the login problem; they don't solve the impersonation problem.

What comes after passwords and MFA?

The next layer authenticates people to other people using cryptographic proof. Peer-to-peer authentication uses TOTP codes from shared secrets stored on physical devices. It works across any channel — voice, video, text, in person — and is immune to AI synthesis because the verification relies on a device-resident secret, not on appearance or voice.

Does P2P authentication replace MFA?

No. P2P authentication and MFA serve different purposes. MFA protects system login events; P2P auth protects human interactions. They are complementary layers. Use MFA to secure your accounts. Use P2P authentication to verify the humans you communicate with.

Sources & Citations

1.
Microsoft Digital Defense Report 2024— 99.9% compromised accounts lack MFA; 111% token theft increase
2.
Verizon 2024 Data Breach Investigations Report— 68% human element; 40%+ credential breaches
3.
FBI IC3 Annual Report 2023— $12.5B losses; $2.9B BEC; $68M SIM-swapping (2021)
4.
Proofpoint State of the Phish 2024— 78% orgs experienced MFA fatigue attacks
5.
NIST SP 800-63B: Authentication & Lifecycle Management— Federal authentication assurance levels
6.
NIST SP 800-63-4 (2024 Draft)— Updated digital identity guidelines
7.
FIDO Alliance: Passkeys Technical Overview— FIDO2/WebAuthn phishing-resistant authentication
8.
RFC 6238: TOTP Algorithm— Time-Based One-Time Password standard
9.
Twilio Security Advisory, August 2022— MFA bypass via social engineering
10.
Uber Security Incident 2022— MFA fatigue attack leading to full compromise
11.
CrowdStrike Global Threat Report 2024— 62-minute breakout time; identity-based attacks
12.
Google Security Blog: Security Keys— 0 successful phishing attacks against security key users

All statistics are sourced from publicly available reports. Real Authenticator is not affiliated with any cited organization.

Continue reading

Defining the Category

Peer-to-Peer Authentication

The cryptographic model that verifies humans to other humans — and why it's the missing layer in identity security.

Read the full analysis

Data Analysis

The Identity Verification Crisis

$12.5 billion in losses. 68% of breaches human-caused. The data behind the crisis.

Read the analysis

Know who you're really
talking to

In a world of deepfakes and impersonation, Real Authenticator gives you and your trusted contacts a private, unforgeable way to verify identity. Download today — it's free.

Download on App Store

Free to download · No credit card required · Privacy-first design