IT & Security Software Risk Management

The Authentication Gap Most CISOs Don't Know Their Organizations Have

PulseOne

Multi-factor authentication (MFA) was supposed to solve the credential problem. For years, adding a second factor to the login process stopped the vast majority of attacks that relied on stolen passwords, and for most organizations, it felt like a significant step forward. That progress was real. But traditional MFA was never a complete fix, and attackers have spent the past several years learning how to work around it.

For CISOs, the authentication landscape in 2026 looks meaningfully different than it did even two years ago. The techniques used to bypass traditional MFA have matured from niche to mainstream, the regulatory and insurance pressure to adopt stronger alternatives is accelerating, and the window for treating phishing-resistant MFA as a future consideration rather than a current priority is closing faster than most security leaders realize.

Understanding what's changed, what it means for your authentication architecture, and what a realistic migration path looks like is now a near-term operational requirement.

Why SMS and Push-Based MFA Are No Longer Sufficient

The weakness in traditional MFA is the implementation: SMS codes, push notifications, and time-based one-time passwords all share the fundamental vulnerability of relying on the user completing an action that can be intercepted, replicated, or manipulated in real time.

The attack technique that has made this exploitation routine is known as adversary-in-the-middle, or AiTM. Say an employee receives a convincing phishing email, clicks a link that leads to what appears to be a legitimate login page, enters their credentials, receives and approves their MFA prompt, and believes they've logged in normally. From their perspective, nothing unusual happened.

Behind the scenes, however, the attacker is sitting between the employee and the real service. The attacker’s proxy captures the session cookie as the login is completed. MFA was technically used, but it did not stop the compromise because the attacker captured the authenticated session in real time

The second vulnerability in push-based MFA is prompt bombing, and it requires nothing technically sophisticated at all. An attacker with valid credentials simply triggers repeated authentication requests until the user, confused or fatigued, approves one. Both attack types exploit the same root problem: the authentication decision relies on human judgment in the moment, and human judgment under enough pressure or deception is unreliable.

For security leaders, the takeaway is straightforward: MFA remains essential, but not all MFA is equal. The methods most widely deployed across enterprise environments today are no longer sufficient against the attacks most commonly used to defeat them.

What Phishing-Resistant MFA Means

Rather than asking a user to approve or enter something that can be intercepted, phishing-resistant MFA uses asymmetric cryptography where the private key never leaves the user's device and each authentication response is cryptographically bound to the specific domain making the request.

That design matters. Even if a user is tricked into visiting a convincing fake login page, the authentication attempt fails because the protocol will not authenticate to the wrong domain. The user does not have to notice the phishing page. The technology blocks the attack before that judgment call matters.

The two primary implementations CISOs need to understand are FIDO2 and PKI-based certificate authentication:

  • FIDO2 and passkeys are the most accessible implementation for most organizations. Built on open standards maintained by the FIDO Alliance and the World Wide Web Consortium, FIDO2 supports two authenticator types: hardware security keys, which are physical devices that connect via USB, NFC, or Bluetooth and store private keys in tamper-resistant hardware; and passkeys, which are cryptographic credentials stored natively on a user's device and unlocked through biometrics or a device PIN.
    • In both cases, the private key never leaves the device, and authentication is bound to the real domain. Google reported zero successful phishing attacks against its 85,000-plus employees after deploying FIDO security keys, which illustrates the practical impact of the shift at scale.
  • PKI-based certificate authentication (using smart cards or digital certificates) operates on the same cryptographic principle and has been the standard in federal government and defense environments for decades. For organizations already operating PKI infrastructure, it offers a proven path to phishing-resistant authentication, particularly for privileged access scenarios.

What Implementation Requires

For most security teams, moving to phishing-resistant MFA is not a quick replacement project, but a phased modernization effort, and the complexity varies significantly depending on the existing environment.

The practical considerations include:

  • Legacy system compatibility. Not every application in a typical enterprise environment supports FIDO2 or WebAuthn natively. Systems that don't can often be addressed through protocol bridges or federation, but this requires assessment and planning. For systems that can't be modernized on a short timeline, PKI-based certificate authentication may serve as an interim bridge.
  • Device management requirements. Phishing-resistant MFA tied to platform authenticators — Windows Hello, Touch ID, Face ID — requires that devices be managed and enrolled in a way that ensures the authenticator is properly bound. Organizations without mature device management infrastructure will need to address that foundation before the authentication layer can be built on it.
  • Privileged access first. For most organizations, the highest-value and most pragmatic starting point is enforcing phishing-resistant MFA for the access paths that represent the greatest risk if compromised. Broad workforce rollout can follow a phased timeline that manages change management and legacy system dependencies.
  • Credential enrollment and recovery. Enrolling users in new authentication methods at scale requires planning for the enrollment process itself, as well as for the credential recovery scenarios that create the exceptions attackers look to exploit. Enrollment gaps and poorly managed exceptions are among the most common sources of MFA bypass discovered during post-incident investigations.
  • Ongoing compliance documentation. As insurers and regulators increase their scrutiny of authentication controls, CISOs need ongoing evidence of coverage, enforcement, and exception management. Building the logging and reporting infrastructure to produce that evidence should be part of the implementation plan, not an afterthought.

Final Thoughts

For CISOs, the authentication conversation has moved past "should we deploy MFA?" to "is our MFA actually doing what we think it is?" The answer for most organizations is that traditional MFA provides meaningful protection against a narrowing set of attacks while leaving the door open to the techniques now driving the majority of identity-based breaches.

Phishing-resistant MFA closes that door by removing the human decision point that attackers have learned to exploit. The migration requires planning, prioritization, and a clear-eyed assessment of where legacy systems create constraints. But the regulatory pressure, the insurer expectations, and the threat landscape are all moving in the same direction, and the organizations that build this capability deliberately will be in a significantly stronger position than those who wait for an incident or a renewal denial to force the conversation.

Next Steps

PulseOne works alongside security teams to assess authentication posture, design phishing-resistant MFA architectures, and execute migrations that account for the legacy system complexity and compliance documentation requirements that make these projects harder than they look on paper. Our IT security and compliance services are built around the practical realities of enterprise environments, not just the ideal state.

If you're ready to move your authentication architecture beyond what attackers have already learned to defeat, contact PulseOne to get started.

_______

PulseOne is a business services company delivering information technology IT management solutions to small and mid-sized businesses for over 20 years. In short, we’re your “get IT done” people.

We are passionate about the power of PEOPLE and TECHNOLOGY to transform a company. We are confident we can significantly accelerate your PROGRESS towards your business technology objectives.

For more information visit:

PulseOne – IT Management and IT Support Solutions for SMB