Quick: what do teenage hackers have to do with MFA attacks?
The answer may surprise you. The archetype of the young, savvy hacker is no longer confined to Hollywood scripts and movie screens – it's become eerily prophetic. According to Experian’s 2025 12th Annual Breach report, the average age of a cybercriminal is now 19 (versus 37 for other types of crime).
The availability of sophisticated phishing kits and automated AI tools has made MFA bypass attacks increasingly accessible to a wider range of attackers. This includes teen hackers who are often underestimated but can be highly persistent in their efforts.
As the nature of hacking evolves, the risks grow. Below, we talk about how these hackers are bypassing MFA, why you should care, and what you can do about it.
It’s 2025: Is MFA still necessary?
In January 2025, Spanish authorities arrested an 18-year-old hacker who was responsible for 40 cyber-attacks against the U.S. military and NATO allies.
The teen allegedly breached critical databases and used several tools to stay hidden.
So, how was a teenage hacker able to access sensitive military assets belonging to the world’s most advanced nations?
Again, the answer may surprise you.
In 2023, a U.S. government email server containing references to U.S. Special Operations Command (USSOCOM) was found unsecured. And in November 2024, sensitive data belonging to nearly 1.2 million U.S. and UK military personnel was exposed on a dating app.
The common theme with these two high-profile incidents? Neither platform was password-protected or had MFA enabled.
In the civilian world, as many as 165 Snowflake customers had their data exposed in April 2024 after a hacker group used stolen credentials to breach their accounts. The lack of MFA was also a significant factor in the success of the attacks.
The above stories underline the importance of a defense-in-depth solution when it comes to securing critically sensitive data.
To that end, MFA adds an extra layer of security to prevent unauthorized access. So, is MFA still necessary in 2025? The answer is yes – but not all MFA solutions are created equal.
Types of multi factor authentication (MFA)
First, let’s talk about the different types of MFA:
SMS-based MFA |
A code or OTP (one-time password) is sent to your registered mobile phone. This is the code you enter on the login page to verify your identity. SMS-based MFA is the least secure form of MFA, as the generated codes can be intercepted by threat actors. |
Email-based MFA |
This is like SMS-based MFA - only, the code or OTP is sent to your registered email address. |
Authenticator apps |
This includes apps like Microsoft Authenticator and LastPass Authenticator. The app creates a six-digit code which changes every 30 seconds. This is the code you’ll enter on the login page. The app and website you’re accessing are synced, which means they both “know” what the correct code should be at any given time. |
PKI-based MFA |
Both government-issued CAC (Common Access Cards) and PIV (Personal Identity Verification) cards are forms of PKI-based MFA. Access to government information systems and federal buildings is based on PKI certificates and private keys stored on the chip of the card. |
Biometric authentication |
This type of MFA uses fingerprints, facial recognition, voice recognition, or retinal scans for authentication. Because biometric data is unique to each person, this MFA method is difficult for hackers to manipulate. |
FIDO2-based MFA with cryptographic hardware keys or tokens |
These keys or tokens are small, lightweight physical devices separate from client devices. FIDO2-supported MFA is the strongest form of MFA you can set up for your business, as it’s phishing-resistant and eliminates the sending of OTPs through text messages. |
How hackers are bypassing MFA: Five MFA attacks your business should watch for
As MFA attacks rise, one thing is clear: the type of MFA you use matters.
Attackers are leveraging increasingly sophisticated methods to circumvent traditional MFA protections.
Below, we discuss five (5) of the most common types of attacks. By understanding how attackers bypass MFA, you can better prepare and implement the right solutions to protect your business.
#1 Sim swapping
This type of attack is also known as SIM hijacking, where attackers trick mobile carriers into transferring your phone number to a SIM card or eSIM they control. This allows them to intercept every MFA OTP (one-time password) you receive on your phone. SIM swapping attacks saw a 38% increase in the first quarter of 2025.
#2 Social engineering & phishing
In 2025, attackers are leveraging AI to create sophisticated phishing emails that closely resemble that of their corporate counterparts. New social engineering techniques include embedding malicious QR codes in PDF documents and exploiting Microsoft Teams to execute real-time social engineering attacks.
The goal is to send victims to a fake login page, where they are encouraged to enter their username and password. After the victim enters those credentials, they are prompted for the second factor of authentication.
When all factors are collected, the attacker will hijack the victim’s account and shut off all access.
#3 MFA fatigue attacks
This type of MFA attack overwhelms users with an avalanche of MFA push notifications. By sending repeated MFA requests, attackers hope that users will approve one out of frustration – Twilio employees were spammed with MFA push messages in 2022.
That same year, Uber admitted it had been hacked by LAPSUS$, a teen hacker group. One of its members (an 18-year-old) sent similar MFA push requests to an Uber contractor, who ultimately authenticated one of them. This gave the teen access to Uber’s network, where they posted vulgar images on the company-wide Slack channel.
In 2023, a UK court found the 18-year-old guilty of hacking into Uber and costing the company nearly $3 million in damages.
#4 Adversary-in-the-middle attacks
This type of attack usually begins with a phishing email that redirects the unsuspecting user to a fake login page hosted by a malicious proxy server. After the user enters their username and password, the proxy server forwards the user’s request to the legitimate website.
It then captures any session cookies it receives from that website. With the stolen cookies, the attacker can bypass any MFA protections set by the user.
#5 IP address or geo-whitelisting
Many organizations whitelist specific locations or IP addresses to allow approved users to bypass MFA. This promotes easier access for employees working from diverse locations. However, this practice comes with a security risk: Attackers can use location spoofing or VPN services to skip the MFA requirement, as well.
- Unlimited amount of users
- 100+ customizable access policies
- LastPass Families for employees
- Directory integration
The easy, step-by-step method to set up MFA for your business
To begin, you’ll want to identify which accounts to secure with MFA.
Next, you’ll want to choose the type of MFA to deploy. CISA recommends FIDO2-based MFA with hardware keys as the gold standard for MFA.
The best hardware keys on the market include YubiKey, Google Titan Security Key, HID Crescendo Key Series, and Nitrokey Storage 2.
Here’s a general step-by-step guide for setting up Yubikey on any website, platform, or app:
- First, choose a YubiKey-compatible service or platform.
- Next, log in to your account, and navigate to the security settings.
- Look for an option to add a security key and select it.
- When prompted, insert your YubiKey into a USB port.
- Follow the on-screen instructions, which may include touching the YubiKey sensor or button.
- Once your YubiKey is registered, the website will confirm the successful setup.
- You’ll want to test the login process with your YubiKey to ensure it works correctly.
- Repeat the above steps for other websites you’d like to secure with your YubiKey. And that’s it!
Powerful LastPass MFA options lets you outsmart a new generation of hackers
While other password managers limit your MFA options, LastPass offers you a wide range of MFA providers that support hardware key authentication. For example, our RSA SecurID Access option works with YubiKey to provide phishing-resistant authentication for your business.
Check out the list of MFA options LastPass supports:
LastPass provides superior security while streamlining the login process for your business. But don’t take our word for it. Listen to what our fans are saying:
"What LastPass does well are its multi-factor authentication options. Ultimately, they have the most of all password managers. The kicker is that you can use several authentication options. You can even enable them all and be required to use the TOTP app, biometrics, PIN, and smart card – all at the same time." - Cyber New Review
In 2025, G2 has again chosen LastPass as its top pick for password management. And the accolades don’t end there: G2 users give LastPass high marks as the second easiest passwordless authentication software to use, behind only Microsoft Entra ID.
But while Microsoft Entra ID is geared towards larger enterprises, LastPass MFA solutions work for ALL organizations, including SMBs.
So, if the newest MFA-based attacks have you concerned, don’t fret. You can experience the same peace of mind enjoyed by millions of our customers by signing up for a free, no-obligation trial of LastPass Business today (no credit card or commitment required).