The quiet threat of 'good enough' MFA

SMS MFA will not save you. Neither will TOTP. Here's what we're telling customers in 2026.

Priya Nair 5 min read

Multi-factor authentication is not a checkbox. In 2026, 'good enough' MFA is actively harmful: it lets organizations believe they're protected while shipping an exploitable surface.

The current state

SMS and TOTP are trivially phishable with modern adversary-in-the-middle kits. The kits are cheap, the infrastructure is disposable, and the telemetry is weak.

What works

Hardware-bound keys. Device-bound passkeys. Enforced at every entry point.

What to actually do this quarter

Audit your MFA inventory. Find the factors you can phish. Replace the top three.

Keep reading

Related field notes

All posts

Product 2026-04-02

Atlas 4.1: graph-native threat intelligence

Fan-out investigation paths, provenance receipts, and a reworked enrichment engine that completes in under a minute.

Field notes 2026-03-14

Why we started with 'signal over noise'

A short note on the three opinions the product holds, and why they're not negotiable.

Research 2026-02-22

Investigating 'living off the pipe' in CI systems

A field note on a technique we're seeing more often: adversaries using build systems as a long-term C2.