Rather than compromising infrastructure used to make various MFA services work, as more advanced groups do, a Lapsus$ leader last year described his approach to defeating MFA this way: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.” //

• A phishing campaign that used MFA bombing and other unsophisticated techniques successfully breached San Francisco-based MFA provider Twilio and came close to breaching content delivery network Cloudflare were it not for the latter’s use of MFA that’s compliant with the FIDO2 industry standard. //

The report contains a variety of recommendations. Key among them is moving to passwordless authentication systems, which presumably refer to passkeys, based on FIDO2. Like all FIDO2 offerings, passkeys are immune to all known credential phishing attacks because the standard requires the device that provides MFA to be no further than a few feet away from the device logging in.