In the evolving cyber arms race, bad actors have turned to sophisticated tools like Rockstar 2FA, a phishing-as-a-service kit capable of bypassing multi-factor authentication (MFA) on widely trusted platforms such as Microsoft 365 and Google Workspace. This attack method resets the cybersecurity landscape, exposing pre-MFA vulnerabilities and proving that even advanced authentication methods are no longer a silver bullet for security. As cyber threats evolve at an unprecedented pace, businesses find themselves at a crossroads in balancing technological innovation with holistic identity security strategies. The question organizations must now ask is no longer whether MFA should be in place but whether it is enough, properly configured, monitored effectively, and a part of a broader defense strategy.
As 2025 nears, the proliferation of AI-embedded SaaS applications amplifies the challenges of managing human and non-human identities, driving a surge in identity-driven breaches. To navigate this evolving landscape, businesses need to rethink their approach to identity and access management (IAM), and extend their approach beyond MFA to include centralized monitoring, anomaly detection, and real-time remediation.
CEO and Co-Founder of Valence Security.
The problem with MFA in 2025
MFA undoubtedly raises the bar for some attackers, yet organizations often mistake its implementation for complete, set-it-and-forget-it security. It reduces the probability of an attack, but think a few steps down the line and it becomes clear that MFA does little to stop breaches if not configured properly or if monitoring and detection mechanisms are inadequate.
For years, MFA has been heralded as the best defense against phishing. However, its growing adoption has motivated attackers to find new ways to exploit its weaknesses. One key vulnerability lies in session token abuse. Once a user grants second-factor access in a browser session, the resulting session tokens — captured via phishing attacks — can be reused to bypass MFA entirely. Even the most junior cybercriminals exploit these tokens to mimic legitimate user activity, rendering MFA protections useless after an initial breach.
Failing to address these gaps has significant implications, from operational disruption to potential regulatory fines and reputational damage. The bottom line is that today’s threat actors don’t need widespread success; they only need one vulnerable entry point to compromise entire systems.
What’s worse, phishing-as-a-service kits like the previously mentioned Rockstar 2FA make this process seamless. Attackers leverage automation and brute force to identify users who can be tricked and have their credentials or session tokens stolen. The result? Undetectable campaigns that sidestep MFA without triggering alarms.
Identity-based threats beyond MFA
While identity-based attacks affect every industry, cybercriminals gravitate toward targets that promise the highest returns — financial services organizations, legal departments, and C-suite executives. These roles often have elevated privileges and access to critical data, making them ideal targets for phishing campaigns.
Compounding the issue, the rapid adoption of SaaS and AI has introduced a critical yet overlooked vulnerability: non-human identities. Unlike human users, these machine-based identities — service accounts, OAuth tokens, and third-party integrations — cannot perform MFA. They rely instead on static authentication methods, such as API tokens or embedded credentials, which are significantly less secure. This vulnerability was starkly highlighted in a recent browser extension attack campaign where attackers used consent phishing to bypass MFA protections. By tricking victims into authorizing a malicious OAuth application through legitimate Google authentication flows, the attackers gained access without triggering MFA prompts, exploiting the static nature of machine-based authentication.
Consider the number of apps integrated into a single employee’s account — Calendly linked to Microsoft 365, Slack connected to Salesforce, and AI tools with access to sensitive business data. These machine identities often carry privileges equivalent to human users, but their proliferation makes them difficult to monitor and control. We’ve found the ratio of non-human identities to human ones at almost 10-to-1. Each integration introduces another point of exposure, and poor oversight creates easy openings for intelligent attackers. Organizations must trust that AI vendors secure their tokens effectively, but this trust is often misplaced. Attackers frequently target these third-party tokens to bypass MFA protections, exploiting the trust users place in vendors. Breaches at vendor systems have repeatedly enabled attackers to compromise tokens, using them as entry points to infiltrate customers’ systems and access sensitive data.
Decentralized administration: a hidden weakness
Decentralized administration poses yet another risk, especially within organizations using dozens of SaaS applications.
With disparate platforms under a company’s corporate umbrella — like Salesforce managed by sales teams, Workday by HR, HubSpot managed by the marketing team, and GitHub by developers — security often becomes an afterthought. Admins, focused on immediate business needs, may disable security configurations temporarily to resolve workflow bottlenecks. These short-term fixes can lead to long-term security risks, such as misconfigured MFA or excessive privileges, which attackers eagerly exploit.
The challenge lies in scale. Each SaaS platform defines MFA and security controls differently, requiring deep expertise to manage configurations effectively. Without centralized oversight, organizations lose visibility into their security posture, creating opportunities for breaches.
Actionable steps to bolster defenses
Looking ahead, the battle against phishing and identity-based threats will require a multi-layered approach to security:
Adopt stronger MFA solutions: Organizations must move beyond phone-based 2FA to advanced methods like biometrics or hardware-based security keys, which are far more resistant to phishing.
Centralize identity management: Consolidate administration under a single framework to enforce consistent security configurations and policies across SaaS applications, reducing misconfigurations and unauthorized access.
Enhance visibility and monitoring: Implement tools that provide continuous visibility into both human and machine identities, detecting anomalies in real time. Continuously audit configurations to detect drift from secure states.
Prioritize training and awareness: Educate employees and administrators to recognize phishing attempts and avoid risky configurations. rain business teams to prioritize security and avoid temporary “workarounds” that compromise long-term defenses.
The adoption of AI and SaaS is inevitable, but so are the threats they introduce. To stay ahead, businesses must recognize that MFA alone is insufficient. By combining advanced authentication, centralized monitoring, and proactive policies, organizations can defend against the phishing arms race of 2025. MFA may no longer be the silver bullet, but with the right defenses, it can be a key component of a more holistic identity strategy.
We’ve featured the best business VPN.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
