Key idea
MFA protects logins, not identity ecosystems
Modern identity platforms include dozens of authentication and authorization paths. MFA typically covers only a subset. Attackers target what was left behind.
Research Note · Identity Abuse
The Quiet Breach
How legacy MFA bypass still works in 2025
Most organizations believe MFA solved credential-based compromise. In practice, attackers rarely defeat MFA directly. Instead, they walk around it—through legacy authentication paths, session reuse, token abuse, and identity design decisions that were never revisited after MFA was “turned on.”
These breaches are quiet, persistent, and often discovered months later—if at all.
Executive summary
MFA reduces friction. It does not eliminate paths.
MFA dramatically improves security posture, but it is not a control boundary. Legacy protocols, OAuth flows, session lifetime decisions, and recovery processes routinely bypass MFA without triggering alarms. Organizations that treat MFA as a finish line often discover this only after damage is done.
Misconception
“We enforce MFA everywhere”
In practice, this often means “for interactive logins by humans,” not service accounts, legacy clients, token refresh flows, or delegated permissions.
Outcome
Breaches that look like normal activity
When MFA isn’t challenged, defenders assume legitimacy. Attackers blend into normal cloud operations instead of triggering alerts.
Abuse paths
Why legacy MFA bypass still succeeds
These are not edge cases. They persist because disabling them risks breaking business processes—and because few organizations inventory identity flows end-to-end.
Legacy authentication protocols
IMAP, POP, SMTP AUTH, and older SOAP-based APIs often bypass modern MFA enforcement. Even when “mostly disabled,” exceptions linger for scanners, devices, or migrations.
Session and token reuse
MFA is checked at session creation, not every action. Stolen session cookies, refresh tokens, or persistent OAuth grants allow long-term access without re-authentication.
OAuth consent abuse
Once a malicious or over-permissioned app is authorized, MFA is irrelevant. The app operates independently, often with fewer logging and alerting hooks.
Recovery and exception flows
Password resets, break-glass accounts, emergency access policies, and helpdesk overrides frequently have weaker MFA requirements—or none at all.
Detection gap
Why defenders don’t see the breach
MFA bypass attacks don’t look like brute force or phishing failures. They look like successful authentication and legitimate API usage.
No failed MFA events
SOCs often key on failed challenges or push fatigue. Quiet breaches generate neither, so they never escalate.
Normal geolocation and timing
Access often originates from cloud infrastructure or locations already associated with the organization or its vendors.
App activity over user activity
OAuth-based abuse shifts activity from user sign-ins to app calls, which many teams monitor less aggressively.
Overconfidence in MFA coverage
Teams stop looking for bypass paths because they believe MFA “solved” the identity problem. Attackers rely on that assumption.
Leadership view
Why this matters to executives and boards
MFA success metrics often create false confidence. The real risk lies in what MFA does not cover—and how long attackers can operate undetected.
Longer dwell time
Quiet breaches persist longer, increasing data exposure, regulatory risk, and recovery costs once discovered.
Audit surprises
Legacy auth paths and undocumented exceptions are often discovered during incidents—or by regulators—not internal reviews.
Misaligned investments
Organizations invest heavily in MFA tooling while underfunding identity architecture reviews, lifecycle controls, and monitoring.
Program direction
Reducing quiet breach risk without breaking the business
Eliminating MFA bypass requires architectural decisions, not just stricter prompts.
Priority
Inventory all identity flows
Map every way identities authenticate and authorize—human, service, legacy, automated, and third-party. MFA enforcement should be evaluated per path.
Priority
Expire and monitor sessions aggressively
Session lifetime, token refresh behavior, and revocation processes matter as much as initial authentication.
Priority
Constrain OAuth and app permissions
Treat app consent as privileged access. Monitor for over-scoped grants, unusual API usage, and persistence through applications—not users.
Priority
Design detection for “success,” not failure
Build detections around improbable success patterns: new apps, unusual token use, access without interactive logins.