Bare Metal Cyber

Every day, millions of people type their passwords into login screens and then wait for that reassuring ding of a text message to arrive. It feels like security in action—an extra step, a secret code, a moment of confirmation that the system is keeping intruders out. This ritual has become so normalized that we barely question it anymore. The text arrives, we copy the digits, and for a fleeting second, we believe our accounts are shielded by a second layer of protection. It’s comforting, convenient, and familiar. But comfort is not the same as security, and attackers see something very different when they look at that same flow. To them, SMS-based multi-factor authentication isn’t a fortress. It’s a thin speed bump on a fast highway.

What we call multi-factor authentication is supposed to rest on the idea of combining two very different types of evidence—something we know, like a password, and something we have, like a physical token or device. In practice, SMS takes that second factor and dilutes it into little more than a string of numbers delivered by a third-party network that was never designed to guarantee security. The “something you have” isn’t your phone. It’s your phone number, a fragile identifier managed by a carrier help desk that can be persuaded, tricked, or exploited. That fragility turns the entire system upside down.

We often hear multi-factor authentication explained in simple terms: something you know, something you have, and something you are. A password fits neatly into the “know” bucket, a hardware key or authenticator app belongs in the “have,” and biometrics represent the “are.” On the surface, SMS one-time codes appear to fall into that second category. After all, you need your phone in your pocket to receive the text. But that assumption is deceptive. You don’t really control your phone number the way you control a physical key. Instead, your carrier does, and their systems are designed to make it easy to transfer that number to another device when customers upgrade, switch providers, or claim they’ve lost access. Attackers exploit that very convenience. By convincing or manipulating a carrier, criminals can take over the “possession” factor without ever touching your physical phone. What we treat as proof of control is really proof of billing, and it is astonishingly easy to falsify.

This creates a mismatch between the theory of MFA and the reality of telecom-driven authentication. The entire idea of “two factors” is meant to ensure that compromising one does not automatically compromise the other. Yet when a carrier reset can simultaneously reset access to your number and intercept the second factor, the distinction collapses. Attackers don’t need to break into a hardened device or bypass encryption; they just need to work the phone company’s customer support playbook. There are countless examples of this in the wild—high-profile social media accounts, cryptocurrency wallets, and even corporate administrator dashboards all compromised because an attacker convinced someone at a carrier to move a number. These are not isolated incidents. They are patterns, repeated over and over, precisely because SMS is trusted as a second factor when it behaves more like a brittle extension of the first.

Despite these weaknesses, SMS remains popular. Companies cling to it because it’s simple to deploy, requires no extra hardware, and comes built into the onboarding flows of most identity providers. For businesses, it reduces friction: no app downloads, no training, no complaints about usability. For regulators, it checks the box labeled “MFA enabled,” which often suffices for compliance. The problem is that security should not be judged by ease of deployment or regulatory paperwork. Attackers don’t stop at the phrase “MFA enabled.” They probe deeper, looking for what kind of MFA stands in their way, and whether it can be phished, forwarded, or reset with a phone call. By that standard, SMS repeatedly fails. The conversation we should be having is not whether multi-factor is present, but whether it is resistant to the very real-world techniques adversaries use every day. That shift—from presence to resilience—is the difference between theater and true defense.

Ultimately, the speed and accessibility of real-time phishing show just how unsuited SMS is for the modern threat landscape. Organizations assume that requiring a six-digit code blocks brute force or credential stuffing attacks, and in some cases it does. But against motivated adversaries using live relay systems, it barely slows them down. The more successful these kits become, the more they spread, lowering costs and making them ubiquitous in criminal toolkits. Users are told to look for the lock icon, check the URL, and be cautious, but under pressure and routine, even vigilant people can be deceived. With automation closing the timing gap, the advantage lies firmly with the attacker. SMS isn’t just phishable—it is phished at scale, every single day.

The human element—MFA fatigue—is often the easiest path for attackers to exploit. Attackers know that the cleverest technical controls will fail if humans are worn down, distracted, or rushed. Prompt bombing, where an adversary floods a user with repeated push notifications or OTP requests, is a simple psychological trick that exploits annoyance and decision fatigue. After dozens of pings, a user tired of the noise may hit “approve” just to stop it, especially if the prompts come during a busy workday or late at night. This isn’t ignorance so much as cognitive overload: people default to the quickest action that ends the discomfort. Prompt bombing turns security into an irritant, and in doing so it weaponizes the very behavior security teams dread—users taking the path of least resistance. Technical mitigations like rate-limiting approvals help, but they don’t eliminate the core problem: human beings under stress will often make the pragmatic choice, not the secure one.

MFA fatigue succeeds because attackers layer social pressure on top of technical nuisance. A carefully timed phone call, an urgent Slack DM, or a spoofed calendar invite can give an approval request a veneer of legitimacy. Imagine getting an urgent call from “IT” while your phone is ringing with approval prompts — the pressure to comply multiplies. Attackers use scripts that mimic corporate tone and processes, and when combined with voice spoofing or cloned audio, they can sound disturbingly authentic. This multiplies the effectiveness of fatigue attacks because the user no longer sees the notification as random noise but as part of a coordinated request that seems authoritative. Training alone won’t erase the reflex to follow perceived authority, particularly when the supposed authority appears to be a known voice or email address. The human mind values social proof and compliance, and attackers exploit those heuristics mercilessly.

Help desks and support workflows are fertile soil for human-targeted breaches. When users are hassled by constant MFA prompts, their instinct is to call for help — and that call often goes to a human agent with limited verification options. Attackers exploit poorly designed support flows by pretending to be locked-out employees or panicked executives, and they rely on sympathetic agents to reset authentication or port numbers. Many organizations still use insecure fallback checks like knowledge-based questions or SMS resets that interplay disastrously with fatigue attacks. Even if help desk teams are trained, stress, quotas, and imperfect verification processes create windows of opportunity. The most secure authentication methods become irrelevant if a single support call can undo them. Redesigning support flows to require stronger verification — and building friction into resets for sensitive accounts — is essential to reduce this vector.

Psychology, not just technology, defines the success of many MFA attacks. Attackers study work rhythms, timezone behaviors, and typical meeting schedules to time their prompts when users are most likely to respond without careful thought. A push at the start of a long meeting or during a commute leverages divided attention; an approval ping during a deadline leverages stress. Moreover, normal workplace behavior — responding quickly to executive requests, helping a colleague, or doing a quick triage — becomes a liability when attackers imitate those scenarios. This is why behavioral protections that look for anomalous sequences of approvals or unusual geographic login patterns are valuable: they elevate suspicion when human cues would otherwise lull defenders into complacency. But detection has to be timely and paired with thoughtful user experience design; otherwise, it’s just another alert that adds to fatigue.

Technical mitigations can blunt fatigue attacks, but they must be implemented carefully to avoid replacing one problem with another. Number-matching — where the authenticator shows part of the login attempt and asks the user to confirm a number — raises the bar by forcing the user to compare context, not just tap approve. Device binding ties approvals to a specific device fingerprint or attestation, which helps prevent foreign devices from gaining legitimacy. Rate limiting, push throttling, and requiring re-authentication for repeated suspicious approvals reduce the attacker’s ability to bombard users. However, each of these measures can increase complexity for users and generate support tickets if rolled out without thoughtful communication. The balance is delicate: add too much friction and users will seek workarounds; add too little and attackers exploit human fallibility. The right mix combines context-aware controls with clear user messaging and progressive enforcement.

Organizational culture and communication are as important as any technical control when combating MFA fatigue. Security teams must anticipate user frustration and design empathy into rollouts, explaining why changes matter and giving people clear decision rules for when to approve requests. Simulated phishing and live exercises can help users practice refusal responses, but these programs must be realistic and accompanied by transparent reporting so users don’t feel mistrusted. Leaders should model good behavior — refusing suspicious approvals, reporting anomalous prompts, and valuing verification over speed. This cultural emphasis reduces the social pressure that attackers exploit. If the corporate norm becomes “verify twice, approve never under pressure,” the effectiveness of fatigue attacks drops sharply. That cultural shift takes time, consistent messaging, and visible leadership support.

Finally, plan for recovery and resiliency, because prevention will never be perfect. Design break-glass and emergency access paths that are auditable and require multiple checks, rather than a single SMS reset. Use attestation logs and session analytics to rapidly detect and revoke suspicious sessions created during or shortly after an approval binge. Implement compensating controls such as step-up authentication, conditional access policies that require re-keying or hardware-backed cryptographic checks for high-value operations, and mandatory revalidation for changes to contact methods. In parallel, make it easy for users to report suspicious prompts without fear of blame, and ensure support channels follow strict verification protocols. When human behaviors are the battlefield, systems must be built to limit the damage humans can do — accidentally or under duress — and to recover rapidly when those limits are breached.

Compliance theater is one of the biggest reasons SMS-based authentication continues to survive, even as its flaws are well documented. Organizations crave an easy answer to the question, “Do you have MFA enabled?” Regulators and auditors often stop there, satisfied to see a checkmark on a form or a dashboard showing broad coverage. SMS delivers that answer with minimal friction: no special hardware, no additional budget, and no steep learning curve for end users. Executives can tout that “MFA is rolled out across the enterprise” in board meetings, and compliance teams can close audit findings with a clean report. On paper, everyone wins. In practice, attackers also win, because the presence of MFA is not the same thing as the presence of security. Compliance asks whether the door is locked; security demands to know whether the lock resists a determined burglar. With SMS, the lock is fragile, and yet organizations reassure themselves by pointing to paperwork rather than outcomes.

The distinction between technical compliance and real-world resilience becomes obvious after a breach. Headlines frequently follow a familiar pattern: a company insists it had MFA enabled, only for investigators to reveal that the MFA in question was SMS. Attackers sidestep the codes with SIM swaps, phishing kits, or social engineering, and the breach still occurs. Yet in the compliance record, the company looks aligned with best practices. This mismatch leaves organizations exposed to reputational damage and financial losses while auditors remain technically satisfied. It highlights a dangerous gap between what rules require and what threats demand. Security leaders who measure their success by the percentage of accounts with MFA enabled, without asking what kind of MFA, are measuring the wrong thing. The metric should be resistance to phishing, not mere adoption. Anything less is motion mistaken for progress.

Another layer of compliance theater comes from fallback and recovery mechanisms. Even when organizations adopt stronger methods such as TOTP or push notifications, they often leave SMS or email resets enabled in the background. These weak links effectively reduce the entire system back to its lowest common denominator. An attacker who cannot phish a FIDO2 token might instead trigger an SMS reset and bypass the investment entirely. From a compliance standpoint, the organization can still claim MFA deployment, but in reality, the fallback undermines the stronger factor. Worse, privileged accounts such as administrators, executives, and help desk staff are often exempted from stricter controls because enforcing them is inconvenient. Those exemptions create precisely the footholds adversaries seek. Security is not about blanket coverage—it is about prioritizing defenses where compromise would cause the greatest harm. Compliance rarely makes that distinction, but attackers always do.

Fixing this problem requires a shift in both mindset and measurement. Instead of celebrating coverage percentages, organizations should focus on outcomes: how many accounts are resistant to phishing, how often MFA prompts are bypassed, and how effective recovery processes are under stress. This means segmenting users, eliminating insecure fallbacks, and tracking bypass attempts as closely as login attempts. It means recognizing that compliance is not a destination but a floor—the minimum acceptable bar. Real security requires climbing higher, guided by adversary behavior and attack data, not regulatory paperwork. Companies that treat compliance as the end goal will find themselves breached despite passing audits. Companies that treat compliance as a baseline will evolve toward resilience, deploying methods like passkeys and hardware-backed authentication. The difference lies not in the letter of the rules but in the spirit of defense. Compliance theater entertains auditors; real security frustrates attackers. The choice between them determines who gets the last word after an incident.

The path away from SMS and toward true multi-factor security is best understood as a maturity ladder rather than a single leap. At the bottom of this ladder sits SMS, weak but better than nothing. The first rung upward is time-based one-time passcodes, or TOTP, usually generated in authenticator apps. These shift control from telecom carriers back to the user by tying the secret key to a local device. TOTP is far from perfect—phishable and still vulnerable to adversary-in-the-middle attacks—but it closes off entire classes of SIM swap and port-out fraud. The next rung is push-based authentication, particularly when enhanced with number-matching and device binding. These steps provide context and force the user to verify specific details rather than mindlessly hitting “approve.” At the top sits FIDO2 and WebAuthn passkeys, cryptographic protocols that are phishing-resistant, device-bound, and origin-aware. Each rung brings incremental improvement, but the strategic destination must always be phishing resistance, not just compliance checkmarks.

Climbing the maturity ladder requires prioritization. Not all accounts are equal, and not all roles carry the same risk. Admins, executives, and support staff who can reset credentials or access sensitive systems should move to stronger authentication first. Treating every user identically may seem fair, but it wastes scarce security resources and delays protection where it matters most. Segmenting identities by blast radius ensures that the riskiest accounts receive the most resilient protections early. This phased approach is not just efficient; it’s realistic. Organizations that try to mandate passkeys for everyone on day one often encounter resistance and technical snags. By starting with privileged roles and expanding outward, they can build confidence, refine processes, and prove success before scaling. Attackers don’t target random employees first—they go after admins and executives. Defenses should be built with the same logic.

The weakest part of any chain is often the fallback, and recovery paths are no exception. Many organizations deploy stronger methods but leave SMS or email resets available in case users lose access. These shortcuts completely undermine the value of the stronger factor. Imagine an administrator protected by a FIDO2 token but able to reset it with an SMS message—an attacker only needs to compromise the fallback to undo the investment. Strong MFA without hardened recovery is like a vault with a flimsy side door. Break-glass accounts must be carefully designed, auditable, and restricted, not free passes that negate hard-won gains. Eliminating weak fallbacks may be inconvenient, but it is essential. If attackers can exploit the lowest common denominator, the highest level of protection means nothing. Security leaders must treat recovery as part of the authentication ecosystem, not an afterthought.

SMS-based multi-factor authentication has always been more illusion than reality. For years, organizations have leaned on text-message codes as if they were a sturdy wall, but in truth, they behave like a curtain that attackers can slip behind with ease. SIM swaps, real-time phishing kits, and social engineering have exposed SMS as fragile, and breaches continue to prove that a number is not the same as possession. Companies that still trust SMS as a true second factor are depending on telecom infrastructure that was never designed for security, only for convenience. The result is a system that looks solid in compliance reports but shatters quickly under real-world pressure. The lesson is clear: SMS is not multi-factor. It is a single point of failure disguised as progress.

The shift away from SMS is not just a technical upgrade; it is a cultural transformation. Organizations must move beyond checkbox thinking and accept that security outcomes, not compliance reports, are the true measure of maturity. Device-bound, cryptographic methods like FIDO2 passkeys and WebAuthn are not optional luxuries—they are necessary defenses against adversaries who already exploit weaker systems daily. Implementing them requires communication, phased rollouts, and hardened recovery paths, but the investment pays off in resilience. Attackers adapt quickly; security must evolve faster. Each step up the maturity ladder brings more than just technology—it brings credibility, confidence, and trust in systems that won’t collapse under the first real attack.

Ultimately, the legacy of SMS-based MFA should be as a stepping stone, not a destination. It introduced users to the idea that more than one credential was necessary, even if it delivered that idea imperfectly. The real legacy organizations should strive for is one of proof—authentication methods that are phishing-resistant, resistant to bypass, and resistant to social engineering. When security leaders can say with confidence that compromising a password alone is no longer enough, they have moved beyond SMS and a prayer into true multi-factor defense. That journey is cultural, technical, and ongoing, but it defines whether organizations remain vulnerable or resilient in the years ahead.