Why Your MFA Can Still Be Hacked (How I’d Implement MFA in 2026)

Step 1: Enforce MFA Everywhere (No Exceptions) with Conditional Access

This sounds obvious but it’s still widely missed. I also still see a ton of tenants still leveraging per user MFA settings vs a modern deployment with Conditional Access. Per user settings leave you much more exposed to potential holes as new accounts are created in the organization. 

MFA must apply to:

• All user accounts

• Privileged accounts

• Service accounts with interactive logins

If an account can authenticate, it can be hijacked.

Wherever possible:

• Replace service accounts with managed identities or service principals

• Eliminate shared or “temporary” accounts that never expire

If a login exists, MFA belongs there.

Step 2: Retire SMS/Voice, and Email MFA

SMS, voice calls, and email OTPs should be considered legacy authentication methods.

They’re vulnerable to:

• SIM swapping

• Social Engineering

• Compromise (think of a user leveraging their personal Gmail as their second factor). 

At an absolute minimum, organizations should be using Microsoft Authenticator with number matching. This forces users to confirm a number shown on-screen, dramatically reducing MFA fatigue attacks.

Before disabling old methods, review user registration data carefully, ripping them out without a plan will cause outages and support tickets.

Step 3: Move to Phishing-Resistant MFA

This is where MFA finally catches up to modern threats.

Phishing-resistant MFA includes:

• Windows Hello for Business

• FIDO2 security keys

• Passkeys (including iPhone and Android support)

These methods use device-bound cryptographic keys instead of shared secrets.

Even if a user lands on a perfect fake login page:

• The authentication cannot complete

• The key won’t sign a request for the wrong origin

• Token replay fails

This single change breaks AiTM attacks entirely.

Start with:

• Global admins

• Executives

• Finance and high-impact roles

Then expand outward in phases.

Step 4: Don't forget Guest Users

Many breaches don’t start with internal users; they start with partners and suppliers.

Guest users often have access to:

• Teams

• SharePoint

• Sensitive documents

If their account is compromised, your tenant becomes the blast radius.

Best practices:

• Enforce MFA for guest users

• Review external access regularly

• Treat long-term partners differently than one-off guests

A single compromised guest account is enough to trigger an AiTM chain reaction.

Step 5: Understand Token Protection (and Its Limits)

Microsoft has introduced token protection controls in Conditional Access (included in P1) designed to stop replay attacks and they’re promising.

However, today they are:

• Limited in scope

• Windows-only

• Restricted to mobile and desktop clients

• Not effective against browser-based AiTM attacks

Token protection is worth piloting, but it is not a silver bullet yet. Check out more in my post here: Breaking Down Token Protection In Conditional Access

Final Thought

If your MFA strategy hasn’t changed in the last few years, it’s already behind.

Attackers have evolved.
Your identity security needs to evolve with them.