Your MFA is on. You feel protected. And attackers are counting on that confidence.
Here's the uncomfortable truth heading into 2026: multi-factor authentication is no longer a binary — you either have it or you don't. The method you're using matters enormously. And right now, the two most common MFA methods deployed by small businesses are being actively defeated in the wild.
The Attacks Are Already Happening
According to The Hacker News, attackers are bypassing push-notification and SMS-based second factors through MFA prompt bombing — a technique where threat actors flood a user with authentication requests until exhaustion or confusion causes them to approve a fraudulent one. This isn't theoretical. It's documented, repeatable, and being used against real organizations right now.
Meanwhile, The Hacker News also reported on an active Microsoft-flagged campaign using social engineering to redirect users to cryptojacking malware sites — reinforcing that the human layer remains the most exploitable surface. SMS codes, which travel over carrier networks and can be intercepted or socially engineered, are particularly vulnerable in this environment.
This is why Microsoft is deprecating SMS as an MFA option for many Microsoft 365 scenarios. The question is no longer "should we use MFA?" It's "which MFA won't get us breached?"
Ranked: MFA Methods From Weakest to Strongest
3. SMS One-Time Codes (Avoid Where Possible)
SMS codes were a meaningful upgrade over passwords alone — five years ago. Today they're the lowest rung on the MFA ladder.
Why they're weak: - Vulnerable to SIM swapping (attackers convince your carrier to transfer your number) - Interceptable via SS7 protocol attacks on carrier infrastructure - Easily defeated by real-time phishing proxies that relay the code before it expires - Susceptible to social engineering — a convincing caller can get an employee to read the code aloud
When you might still use them: For low-risk, non-Microsoft accounts where no better option exists. Never for admin accounts. Never for email access. Never for anything touching financial systems or sensitive data.
If you're a government contractor working toward CMMC Level 1, SMS codes will not satisfy phishing-resistant MFA requirements — start planning your migration now. Our CMMC Level 1 compliance guide walks through what's actually required.
2. Authenticator Apps (TOTP) — Good, But Not Phishing-Resistant
Time-based one-time passwords (TOTP) generated by apps like Microsoft Authenticator, Google Authenticator, or Authy are meaningfully better than SMS. The code is generated on-device, never transmitted over a carrier network, and changes every 30 seconds.
Why they're better: - No SIM swap risk - No carrier interception - Works offline
Why they're still not enough in 2026: - Vulnerable to real-time phishing: an attacker's proxy site can relay your TOTP code to the real site before it expires - Push notification variants (approve/deny prompts) are the primary target of MFA prompt bombing attacks - Still depends on the user not being deceived
For most small businesses not yet ready to move to passkeys, TOTP authenticator apps are the right intermediate step — especially if you disable push approvals in favor of number-matching or code entry. But treat them as a stepping stone, not a destination.
1. Passkeys — Phishing-Resistant by Design
Passkeys are the method Microsoft, Apple, and Google are all pushing toward — and for good reason. They use public-key cryptography tied to a specific device and a specific website domain.
Why passkeys win: - The credential is cryptographically bound to the legitimate site's domain — a phishing site cannot receive or replay it - Nothing is transmitted that an attacker can intercept - No shared secret exists to steal, SIM swap, or socially engineer - Satisfies FIDO2/WebAuthn phishing-resistant MFA requirements
The practical reality for small businesses: Passkey support in Microsoft 365 and Entra ID has matured significantly. Windows Hello for Business, FIDO2 security keys (like YubiKeys), and platform passkeys on iOS and Android are all viable deployment paths. The setup takes planning, but the operational overhead once deployed is actually lower — users authenticate faster and support tickets drop.
If you're managing Microsoft 365 for clients or your own org, the migration path looks like this: disable SMS → enforce TOTP with number matching → pilot passkeys for admin accounts → roll out broadly.
For context on how attackers are already exploiting weaker Microsoft 365 authentication paths, see our breakdown of device code phishing and MFA bypass in Microsoft 365 — it illustrates exactly why phishing-resistant methods aren't optional anymore.
What Small Business IT Admins Should Do Right Now
- Audit your current MFA methods — pull a report from Entra ID or your identity provider showing which authentication methods each user has registered
- Disable SMS for admin and privileged accounts immediately — this is the highest-risk exposure
- Enable number matching on push notifications if you're staying on authenticator apps in the short term — this alone significantly reduces prompt bombing success rates
- Pilot passkeys for IT and admin staff first — work out the deployment kinks before a broad rollout
- Block legacy authentication protocols — MFA is irrelevant if an attacker can authenticate via SMTP or IMAP without triggering it
And don't overlook the offboarding angle: MFA credentials registered to departed employees are a persistent access risk. Our employee offboarding security checklist covers how to handle authentication credential cleanup properly.
The Bottom Line
MFA is not a checkbox. In 2026, the method you choose determines whether your second factor actually stops an attacker or just slows them down by 30 seconds. SMS codes are being deprecated because they don't work against modern attacks. Authenticator apps are solid if configured correctly but still fall short against real-time phishing. Passkeys are where you need to be heading — and the path to get there is clearer than it's ever been.
Start the migration. Prioritize admin accounts. Don't wait for a breach to make the decision for you.
Take Action
Strong MFA is one layer — but it's not the whole picture. Attackers who can't get in through your login page will look for unpatched vulnerabilities, misconfigured services, and exposed credentials elsewhere in your environment. Proactive scanning catches those gaps before attackers find them.
Oscar Six Security's Radar gives small businesses and MSPs an affordable way to stay ahead of those exposures for just $99 per scan. You handle the MFA migration. We'll help you see what else is sitting in the open.
Focus Forward. We've Got Your Six.