Multi-factor authentication has become a standard fixture in security conversations, and most organisations today have some form of it in place. The problem is that not all MFA is built to withstand the attacks organisations actually face. SMS one-time passwords, email codes, and push notification approvals are now routinely bypassed by attackers, and the organisations that deployed them believing they were protected are learning that lesson the hard way.
For New Zealand businesses managing remote workforces, cloud environments, and privileged access accounts, understanding where conventional MFA falls short is not a theoretical exercise. The threat is real, the attack techniques are widely available, and the consequences of a compromised privileged credential extend well beyond a single account.
The MFA Bypass Problem Is Not New, It's Getting Worse
The security industry spent years advocating for MFA adoption, and rightly so. Any MFA is better than none. But the premise that MFA creates an impenetrable barrier no longer holds for conventional implementations. Attackers have adapted.
Adversary-in-the-middle phishing kits are now commercial products, available on criminal marketplaces with support documentation and update schedules. These tools sit between the victim and the legitimate service, intercepting credentials and MFA codes in real time. The user sees a convincing replica of a login page, enters their credentials and their OTP, and the attacker uses both immediately to authenticate to the real service. The entire exchange happens in seconds.
SIM-swapping is another well-established attack against SMS-based MFA. By socially engineering a mobile carrier into transferring a victim's number to an attacker-controlled SIM, the attacker takes ownership of the SMS channel. Every OTP sent to that number goes to the attacker. This technique has been used to compromise cryptocurrency accounts, executive email accounts, and financial services access in New Zealand and across the Asia-Pacific region.
MFA fatigue attacks require no technical sophistication at all. If an attacker has obtained valid credentials, they can repeatedly trigger push notification requests to the victim's device. Given enough volume, enough persistence, or enough confusion on the part of the victim, approval eventually happens. The Uber breach of 2022, where an attacker bombarded an employee with push notifications until one was approved, is a well-documented example of a technique that continues to appear in incident investigations globally.
What Happens When a Privileged Credential Is Compromised
The stakes are not uniform across an organisation. A compromised standard user account is a serious incident. A compromised privileged account is a different problem entirely.
Privileged accounts, those with administrative access to identity systems, cloud infrastructure, network equipment, or sensitive data repositories, are the accounts attackers pursue because they unlock everything else. An attacker with a compromised global administrator credential in a Microsoft Entra ID environment can create new accounts, disable security policies, exfiltrate data, and establish persistent access that survives password resets. A compromised VPN administrator credential can provide a gateway to on-premises systems that would otherwise be unreachable from the internet.
The NZISM explicitly recognises this risk. Control 16.4.37.C.02 mandates MFA for privileged account access across all New Zealand government agencies, and the NCSC's guidance specifically recommends phishing-resistant methods for these access paths. The reason is straightforward: the consequences of privileged credential compromise justify a higher standard of authentication than the consequences of standard user compromise.
For private sector organisations, the same logic applies regardless of regulatory obligation. The question is not whether you have MFA on privileged accounts. It's whether that MFA would survive a targeted attack.
The SIM-Swap and Phishing Risk in the New Zealand Context
New Zealand is not insulated from these threats. The NCSC's annual Cyber Threat Reports document ongoing credential phishing activity targeting New Zealand organisations across government, financial services, and critical infrastructure. Business email compromise, which frequently involves credential theft followed by account takeover, remains one of the most financially damaging attack types reported by New Zealand businesses.
Remote work has expanded the attack surface further. Users authenticating to corporate systems from home networks and personal devices, over VPNs that may themselves rely on SMS or push MFA, create exactly the access paths that attackers probe. A single compromised remote access credential, combined with an MFA method that can be bypassed, is sufficient for an initial foothold.
What Phishing-Resistant MFA Actually Prevents
Hardware security keys, implementing the FIDO2/WebAuthn standard, eliminate the attack vectors described above through cryptographic architecture rather than user vigilance.
When a user authenticates with a hardware security key, the device generates a cryptographic response that is bound to the specific domain requesting authentication. If the user has been directed to a fraudulent site, the key does not respond. There is no code to intercept, no notification to approve, and no decision the user needs to make correctly. The attack fails at the protocol level.
SIM-swapping is irrelevant because there is no SMS channel. Push fatigue attacks are irrelevant because there are no push notifications. AiTM phishing kits cannot relay an authentication that never produces an interceptable credential. The private key never leaves the device, which means there is nothing for an attacker to steal even if the service's servers are compromised.
This is not a marginal improvement over SMS or push MFA. It is a categorically different security posture, which is why the NCSC, CISA, and security agencies globally now describe FIDO2-based authentication as the gold standard for high-risk access paths.
Practical Deployment: Starting With What Matters Most
Organisations do not need to replace every authentication method simultaneously. The highest-priority accounts are privileged users, remote access paths, and administrators of cloud and identity infrastructure. These are the accounts where compromise has the greatest potential impact and where phishing-resistant MFA delivers the most immediate risk reduction.
From that foundation, broader rollout to standard users, remote workers, and third-party contractors can proceed in phases. Modern identity platforms including Microsoft Entra ID, Okta, and Google Workspace all support FIDO2 security keys natively, and the deployment process is well-documented.
The practical considerations are manageable: provisioning workflows, backup key policies, and lost-key recovery procedures. Trust Panda's Yubico-certified engineers have helped organisations across multiple sectors work through exactly these questions, and we can assist New Zealand organisations at any stage of the process.
The Cost of Waiting
Every month that privileged and remote access accounts rely on SMS OTP or push-based MFA is a month where a targeted attacker with the right credentials and the right kit can bypass your second factor. The attack tools are cheap and the techniques are documented. The protection is available, proven, and increasingly expected by regulators, insurers, and enterprise customers who conduct security assessments of their suppliers.
Getting MFA right means using authentication that an attacker cannot phish. Hardware security keys are how you get there.
Browse the full YubiKey range at trustpanda.co.nz or contact our team to discuss deployment planning for your organisation.
Sales: sales@trustpanda.com
Support: support@trustpanda.com
