MFA in 2026: When Yesterday's Multi Factor Authentication Isn't Enough

Try Business Max

The moment you turned on two factor authentication, you made a bet. That a six-digit code texted to your phone could keep attackers out of your business.

In 2018, that bet was solid.

But now, you suspect there's a growing blind spot in enterprise security. And you aren't imagining it: The MFA you trusted last year is no longer enough.

Today, we talk about what's changed and the simple shift that closes the gap fast.

MFA: What's the real threat no one's talking about?

The real threat is that attackers are bypassing MFA and actively targeting human behavior.

They're now focused on stealing session cookies after you authenticate, not before.

And they employ multiple techniques to steal those tokens:

• Adversary-in-the-middle (AiTM) phishing: Let's say you get an account-related message from Microsoft Support. Concerned, you click the link, which sends you to a counterfeit Microsoft 365 login screen. If you enter your credentials and complete MFA, the attacker's proxy will relay your credentials to Microsoft. But once Microsoft returns session tokens, the attacker's proxy intercepts those tokens – and then forwards you to the real Microsoft 365 portal, so you aren't the wiser. Meanwhile, the attacker uses your valid session tokens to access your account.
• OAuth device authorization flow exploitation: This campaign exploits the OAuth 2.0 Device Authorization Grant flow. You're directed to a legitimate Microsoft domain and instructed to enter attacker-supplied device codes. Once the device codes are authorized, attackers get access and refresh tokens to gain persistent access to your cloud apps and resources.
• Supply chain SaaS compromise: In August 2025, a group tracked as UNC6395 stole OAuth tokens from Salesloft's trusted Drift chatbot integration and used them to walk into the Salesforce environments of 700+ orgs. Alarmingly, the breach didn't stop at Salesforce. Because the stolen OAuth tokens connected to every app integrated with Salesloft, the attackers also reached Slack, Google Workspace, Amazon S3, and other cloud storage platforms. And the scary part is this. The list of companies that were hit read like a "who's who" of the security world: Zscaler, Cloudflare, Palo Alto Networks, Google, Tenable, Proofpoint, BeyondTrust, Bug Crowd, and CyberArk.

Now, think about your business. How many SaaS apps does your team use? Every SaaS app your team connects to with a work login is a potential entry point.

And without visibility into how those apps are accessed and who's accessing them, you're trusting that every vendor in your supply chain has perfect security.

The Salesloft-Drift breach proved that assumption is no longer safe to make.

History of Multifactor Authentication: When did MFA start?

MFA has been around for about 40 years: In 1986, RSA introduced the first password-generating key fob token.

On its LCD screen, the fob – called the RSA SecurID token - displayed a numerical code, which users could attach to their keywords. RSA SecurID is widely considered the first commercially available 2FA system.

Large, security-conscious firms used this MFA method throughout the 1990s.

It was, however, a huge expense for small businesses due to:

• Per-token hardware costs
• Licensing fees
• The expense and operational burden of deploying and maintaining an authentication server

In the early 2000s, these large firms began adopting public key cryptography, using two separate keys (a public key and a private key) to authenticate users.

However, smaller businesses also found this solution impractical and unaffordable.

The turning point was the smartphone. Once smartphones became mainstream, people suddenly had access to more convenient 2FA solutions, receiving codes via email or SMS.

For small businesses, this was a genuine breakthrough. MFA no longer required expensive hardware or IT expertise. Anyone with a phone could deploy MFA – and it worked well for many years.

Then, the hacks started stacking up.

The 2000s-2010: Why did the "Lock Down Your Login" presidential campaign launch?

The Lock Down Your Login presidential campaign launched in 2016 after a number of high-profile breaches, such as the 2014 Yahoo hack that saw 500 million email accounts compromised.

The attacks led President Obama to issue his Cybersecurity National Action Plan (CNAP) and his key initiative, Lock Down Your Login.

Going all in, the National Cyber Security Alliance (NCSA) and 35+ companies supported the campaign with decisive actions:

• Facebook championed safer logins and stronger authentication with promotional videos, media tours, and a blog series.
• Google spotlighted Lock Down Your Login across its services and Security Checkup tool.
• Mastercard threw its weight behind biometric authentication to make consumer payments both safe and simple.
• The FIDO Alliance, the Electronic Transactions Association (ETA) and the National Cyber Security Alliance (NCSA) jointly hosted a "Future of Authentication Policy" Day.
• Square integrated strong MFA protections into its merchant tools, such as the ability to require a second layer of verification for sensitive actions like changing a linked bank account or password.

As a result, many everyday users embraced the President's message, and MFA adoption climbed.

Before long, smartphones began supporting face and fingerprint authentication.

The problem? Adoption never reached most small businesses. A large number didn't use MFA and hadn't planned on implementing it.

And among those who did, chosen methods like SMS codes were already being exploited by attackers intent on a pay day.

Things haven't improved much since the 2010s.

In 2025, the MFA adoption rate for small businesses was just 27%. For medium-sized businesses, it was 34% - JumpCloud

The arms race has only gotten fiercer, and right now, the bad guys are outspending most small firms, pouring millions into custom exploits and AI-driven attacks.

The 2026 problem: Has multifactor authentication evolved to keep pace with the newest threats?

The short answer is: The technology has, but most small businesses are still running the version that hasn't.

This is where the story gets uncomfortable if you feel like you've done the right thing.

First, there are at least 11 well-documented Adversary-in-the-Middle (AiTM) phishing kits currently in circulation. These aren't sophisticated nation state tools.

They're commercial Phishing-as-a-Service platforms that any would-be cybercriminal can rent for a few hundred dollars a month.

This includes kits like Tycoon 2FA, EvilProxy, and Mamba.

All three leverage malicious proxy techniques to intercept credentials and MFA codes.

In 2024, Microsoft warned that AiTM attacks had risen by 146%.

So, this isn't a distant enterprise threat. Small businesses like yours are increasingly in the crosshairs. And the businesses at risk right now are the ones who installed 2FA three years ago and haven't thought about it since.

The shift to passwordless: What does modern, effective multifactor authentication actually look like?

Unlike basic 2FA, modern multifactor authentication relies on three factors: something you have, something you know, and something you are.

But in 2026, even that framework has evolved. The meaningful distinction is now between phishable MFA and phishing resistant MFA:

• Phishable MFA includes SMS codes, email codes, and most TOTP authenticator apps. These transmit a secret during authentication that a proxy can intercept.
• Phishing-resistant MFA includes FIDO2 synced passkeys and hardware security keys. Both rely on public key cryptography, where the private key never leaves your device. For passkeys, the private key is generated on your device, then securely encrypted by an authenticator (like Google Password Manager of iCloud Keychain) before syncing across your devices. For hardware security keys, the private key stays inside the key's secure element, and only the public key goes to the server. FIDO2 MFA makes AiTM phishing substantially more difficult because there's nothing for attackers to steal during transit.

Ultimately, phishing resistant FIDO2 passkeys and hardware security keys represent a genuine leap forward for MFA.

And for the first time, LastPass Business Max puts these controls within reach of any small business.

How does LastPass Business Max fit into the multifactor authentication story?

If you're a 500-person company with a SOC, a comprehensive SSPM (SaaS Security Posture Management) platform like Obsidian Security offers application posture management, identity security, and data governance all within a single platform.

But if you're a small business with 5, 25, or 75 people – and no dedicated security team – you need a different kind of solution. One that gives you the most impactful controls without the enterprise complexity or price tag.

LastPass Business Max was built for exactly that reality. It offers you:

Passwordless authentication with FIDO2 passkeys and hardware security keys – the specific upgrade that stops AiTM attacks at the source

Legacy MFA - like SMS codes are vulnerable to AiTM phishing because they transmit a secret that proxies can intercept.

With FIDO2 support, LastPass enables your employees to authenticate securely across all devices. And the private key is either device-bound or never leaves local secure storage. So, passkeys and hardware security keys can't be proxied through an AiTM attack.

Adaptive MFA that evaluates the context of logins

LastPass MFA layers biometric and contextual intelligence onto every access attempt, assessing the device, location, and login patterns before granting access.

Legitimate users get frictionless logins, while suspicious sign-ins get blocked. This is the kind of ongoing evaluation static SMS codes can never provide.

SaaS Monitoring that gives you visibility into the layer the Salesloft-Drift breach exposed

The Salesloft attackers exploited trusted integrations that had been granted broad permissions.

For the first time, LastPass gives small businesses visibility into that layer.

LastPass SaaS Monitoring:

• Lets you see which third-party apps hold active connections to your system, so you know your attack surface
• Surfaces weak or compromised credentials across your SaaS stack, reducing your risk of the initial vendor compromise that leads to token theft
• Gives you awareness to act faster – if a vendor breach is announced, you know immediately which of your employees are connected and can prioritize response

This isn't a complete solution to token theft but is the most practical combination of protections available to small businesses today. And you can try it right now with a free Business Max trial (no card required).

From visibility to action with SaaS Protect

Once you see the problem, SaaS Protect (another Business Max capability) lets you act on it.

You can block risky apps, guide users towards vetted tools, and respond to credential alerts before they escalate.

This is the capability that closes the loop between knowing a risky integration exists and doing something about it, all without requiring an incident response team to execute.

Unlimited SSO

LastPass Business Max includes unlimited SSO, connecting your apps to a single identity layer secured by phishing resistant FIDO2 MFA. This means one secure login to everything, which significantly reduces unguarded access points attackers routinely exploit.

Agentless, browser-based SaaS Monitoring: Business Max runs through the browser extension your team likely already uses. Your admins get visibility and control, your employees enjoy frictionless logins, and you get peace of mind.

The Salesloft breach affected the world's top security companies with full security teams, with trusted integrations acting as a backdoor.

Business Max gives you visibility into those integrations or SaaS apps, but here's the real question:

What happens if you don't solve high-risk access within 90 days?

Business Max caters to lean IT teams that prioritize security and require features like passwordless logins and SaaS Monitoring to protect sensitive data.

If you're still figuring out whether you need such features, download our free Cyber Resilience playbook authored by renowned cybersecurity expert Dr. Chase Cunningham ("Dr. Zero Trust") and commissioned by LastPass.

You get a clear, actionable framework tailored for businesses with limited resources and lean security teams.

But if you're already committed to phishing-resistant security, here's the link to grab a demo, so our experts can walk you through how Business Max would work for your specific scenario.

Every runner knows that your fastest mile is not your first. If you start your race too quickly, you’ll burn out before seeing the finish line. Cybersecurity is the same; it can’t be fixed overnight by a single product or patch. Maintaining robust protection requires consistent effort, regular patching, and ongoing vigilance — that’s how you go the full distance. The first step is making sure essentials — strong password hygiene, robust multi-factor authentication, and heightened phishing awareness — are squared up.

Stephanie Schneider - Cyber Threat Intelligence analyst at LastPass

Try Business Max

Sources

Obsidian Security: Token-based attacks: How attackers bypass MFA

New America: Getting internet companies to do the right thing

Cyber Defense Magazine: Has MFA had its day?

System Tek: The history of MFA (2025)

Asee.io: History of authentication (from zero to hero)

The Record. Salesloft: Hacker broke into systems in March through GitHub account (2025)

SOC Radar: Everything you need to know about the Salesloft breach (2025)

Cyber Management Alliance. Salesloft-Drift attack: One compromised integration shakes 700+ cos (2025)

CBS News: The White House wants you to ditch your password and "lock down your login"

AWS Marketplace: Obsidian SaaS Security Platform