Skip to content
جرب الأمان السحابي من RSA مجانًا

ابدأ الإصدار التجريبي الخاص بك لID Plus الآن.

ابدأ الآن
What's happening to MFA?translated

The Verizon 2024 Data Breach Investigations Report found that 80% of breaches occur because of stolen credentials. That’s why 61% of organizations are looking to go passwordless in 2025.translated

As bad as stolen passwords are—and they’re really bad—they aren’t the only problem. Cybercriminals have industrialized attacks:

  • Malware-as-a-Service (MaaS) has skyrocketed by 4,000%, per Outseer, which also found that mobile banking traffic now accounts for 85% of digital banking transactions, making financial services a prime target.
  • AI-driven identity threats are escalating. In Japan, attackers are using deepfakes and social engineering to impersonate fluent Japanese speakers and deceive help desks into resetting credentials.
  • The Darcula phishing kit offers a new take on phishing-as-a-service (PhaaS) allows cybercriminals to “simply copy and paste any URL into the interface…and the platform will spit out a fully fledged phishing kit,” per Dark Reading.

And despite multi-factor authentication (MFA) adoption increasing across sectors, attacks aren’t slowing down. As Ant Allan from Gartner puts it, “MFA is an increasingly outdated way of thinking. What’s important is how credentials can be combined with recognition, affirmation, and risk signals to provide sufficient trust in an identity claim.”

MFA was supposed to stop attacks. So what’s happening?

Recent breaches show that traditional MFA alone isn’t stopping attackers:

  • MGM Resorts reported $100 million in damages after attackers used stolen Okta credentials to social-engineer their way past MFA, causing one of the biggest cyber disruptions in hospitality history.
  • Hackers exploited insecure APIs to bypass authentication controls at the S. Treasury Department.
  • A flaw in Microsoft Azure MFA caused an authentication bypass vulnerability that left “millions of accounts susceptible to unauthorized access,” per Infosecurity Magazine.

So, what’s the answer? Modern authentication.

What is modern authentication?translated

Modern authentication is passwordless by default, risk-aware, and continuously adaptive. It integrates user and access information, context, and risk signals to authenticate users dynamically—not just at login, but throughout the entire session.translated

Unlike legacy and traditional MFA, modern authentication is designed to meet the optimal maturity level of Zero Trust as defined by NIST. Modern authentication must meet these criteria:

  • Stronger security without passwords—removing shared secrets that attackers exploit
  • Continuous identity validation—leveraging risk signals, device context, and behavior analytics
  • Works everywhere, for everyone—whether on-premises, cloud, or hybrid, modern authentication must secure all users, all devices, and all environments
Three pillars of a secure modern authentication strategytranslated

1. End-to-end secure:

Phishing resistance isn’t enough. A modern authentication solution must be resistant to malware, fraud, brute-force attacks, bypass techniques, and outages, all of which have contributed to recent breaches.

Key considerations:

  • Does your authentication method protect against session hijacking and stolen session tokens?
  • Can it prevent MFA prompt bombing and credential stuffing?
  • Is it resilient in case of an outage—or will your organization be locked out?

2. End-to-End Passwordless

Traditional MFA still relies on passwords: in most cases, traditional MFA still falls back to a password-based method for setup, credential recovery, or other stages in the identity lifecycle. Users tend to enter passwords first to begin an MFA challenge, to enroll for MFA at the outset, and to reset MFA if needed. That’s a problem, because threats like malware, password spray, and MFA bombing can still exploit the deeper, root password.

Passwordless should really mean exactly that. A modern authentication approach should eliminate passwords completely and it should include:

  • Hardware and/or mobile passkey for all users
  • Modern auth for servers, mainframes, and IT infrastructure
  • Multiple passwordless options for desktop logon to Windows and macOS
  • Passwordless OTP fallback for everything else.

So ask yourself, does your authentication solution actually remove passwords, or does it just layer security on top of them?

3. Works everywhere and for everyone

Enterprises operate across cloud, hybrid, and on-premise environments. Any authentication strategy that isn’t infrastructure-agnostic creates security gaps.

Questions to ask:translated

  • Does your authentication solution work across all platforms (Windows, macOS, Linux, mobile, on-prem servers)? How about legacy applications?
  • Is it resilient? Can it support hybrid failover and offline access in critical scenarios?
  • Does it scale across all users, including employees, contractors, and privileged admins?
Why Organizations Need Modern Passwordless Authentication to Stop Data Breaches
Modern authentication must be secure against all attacks, provide true passwordless without masking, and across all environments and operating systems.
Cybercriminals are moving past traditional MFA. You should, tootranslated

The future of authentication isn’t just phishing-resistant MFA. Instead, it’s passwordless, resilient, and secure across the entire identity lifecycle.

Organizations with mission-critical operations need solutions that protect against AI-driven threats, deepfakes, and credential bypass techniques, remain available despite third-party outages, and sustain authentication policies throughout the entire identity lifecycle. In short, they need modern passwordless authentication.

Ready to rethink your authentication strategy? It’s time to embrace a modern, end-to-end approach.translated