For years, Multi-Factor Authentication (MFA) was hailed as the gold standard for securing identity. But in 2025, it’s clear: MFA is broken.
Phishing-resistant authentication is no longer optional - it’s essential. And the answer isn’t more SMS codes or push notifications. It’s certificates.
The Problem with Traditional MFA
- Phishing and MFA fatigue attacks are rampant. Users are tricked into approving fraudulent logins or clicking spoofed links.
- Push-based MFA is vulnerable to social engineering and session hijacking.
- SMS and OTPs are easily intercepted or spoofed.
- User experience suffers, especially in regulated environments where login friction leads to workarounds.
Real-World MFA Failures
Here are notable examples where MFA either failed or was bypassed due to poor implementation, lack of enforcement, or exploitable flaws:
- Microsoft Azure MFA Breach (2024)
- What happened: Researchers cracked Azure MFA in under an hour due to a lack of rate limiting on failed sign-in attempts.
- Impact: Unauthorized access to Outlook, OneDrive, Teams, and Azure Cloud services.
- Lesson: Even enterprise-grade MFA can be vulnerable if basic protections like throttling are missing.
Microsoft Azure MFA breach in 2024 was enabled by a brute-force attack, made possible due to the absence of throttling. Throttling, in this context, refers to limiting the number of authentication attempts allowed within a specific time frame to prevent rapid guessing of MFA codes.
- Twilio Authy API Exploit (2025)
- What happened: Millions of phone numbers were verified using an unauthenticated API endpoint in Twilio’s Authy service.
- Impact: Attackers could hijack MFA tokens and impersonate users.
- Lesson: MFA systems relying on unsecured APIs are easily compromised.
The Twilio Authy API exploit (2025) is best classified as an unauthenticated API enumeration attack, also known in industry terms as an API exposure vulnerability or data enumeration via unsecured endpoint.
- Change Healthcare Ransomware Attack (2024)
- What happened: BlackCat ransomware gang used stolen credentials to bypass weak or absent MFA.
- Impact: Over 6 TB of sensitive medical data encrypted; $22M ransom demanded.
- Lesson: MFA must be enforced universally—not just on external access points.
The Change Healthcare ransomware attack (2024) is classified as a supply chain ransomware attack or more broadly a third-party compromise. It falls under the category of threat-to-life ransomware in healthcare cybersecurity, due to its disruption of critical patient services.
- Microsoft AuthQuake Vulnerability (2024)
- What happened: A flaw in Microsoft’s MFA implementation allowed unlimited brute-force attempts.
- Impact: Accounts were exposed to credential stuffing and session hijacking.
- Lesson: MFA without brute-force protection is a liability.
- Conditional MFA Failures in Microsoft Environments
- What happened: Organizations exempted MFA for “trusted” IP ranges or internal apps.
- Impact: Attackers exploited these gaps to move laterally inside networks.
- Lesson: Conditional access policies must be airtight—MFA should be enforced everywhere
The Conditional MFA failures in Microsoft environments are classified as misconfigured Conditional Access policies or policy bypass vulnerabilities. These fall under the broader category of identity misconfiguration attacks, which are increasingly exploited in enterprise environments.
Why Certificates Are the Answer
- Phishing-resistant by design: Certificates authenticate the device, not the user’s memory or reflex.
- No user interaction required: Login windows open securely, with no need for codes or approvals.
- Easy deployment via Soliton KeyManager: Certificates can be securely installed across Windows, macOS, iOS, and Android, without scripting, manual provisioning, or complex PKI.
- Compliance-ready: Certificate-based access aligns with NCSC UK, ISO 27001, and GDPR requirements for strong authentication.
Soliton OneGate: Certificate-First Access Control
Soliton OneGate is built for this shift. It uses device-bound certificates to enforce identity and access control across enterprise networks, remote workspaces, and cloud services. Key benefits:
- No passwords, no push prompts
- Device trust and endpoint validation
- Supports zero trust architectures and conditional access policies
Use Soliton KeyManager to Simplify Certificate Deployment
While certificates should lead your identity strategy, many organizations hesitate, assuming wrongly that issuing and managing certificates requires heavy IT overhead or user training. That’s no longer the case.
Soliton KeyManager is a lightweight, cross-platform app that makes certificate deployment fast, secure, and user-friendly:
- Works on Windows, macOS, iOS, and Android
- Installs certificates securely without scripting or manual provisioning
- Generates private keys locally ensuring they never leave the device
- Integrates with Soliton NetAttest EPS and OneGate for seamless authentication
- Supports wireless LAN, VPN, and browser-based access
This means IT teams can roll out phishing-resistant, certificate-bound identity across diverse endpoints without hyperscaler lock-in or complex PKI infrastructure. Whether you're securing internal apps, remote access, or unmanaged devices, KeyManager removes friction and accelerates adoption.
Final Thought: Educate, Deploy, Secure
The shift to certificate-based identity isn’t just technical, it’s strategic. IT leaders must:
- Educate users on why MFA is no longer enough
- Deploy certificate infrastructure via OneDrive, MDM, or Soliton KeyManager
- Secure endpoints with tools like Soliton OneGate and NetAttest EPS
MFA is broken when it’s misconfigured, API-exposed, or reliant on user interaction. Certificate-based authentication like Soliton OneGate, removes these attack vectors by binding trust to the device and eliminating user prompts.