Why traditional MFA no longer works — and what comes next

Multi-factor authentication (MFA) has long been the standard for protecting digital identities. But in today’s landscape of phishing, SIM swapping, and AI-driven fraud, classic MFA methods like SMS codes and push notifications are no longer enough. They're not only vulnerable — they also frustrate users.

Common MFA methods are easily bypassed by modern attacks. Social engineering, MFA fatigue (accidental approvals), and token management issues make legacy systems inefficient and insecure. Even hardware keys, while effective, pose usability and support challenges.

AI-generated fake identities and deepfakes now threaten the integrity of hiring and onboarding processes. Legacy systems weren’t built to detect or prevent this level of deception.

Next-gen authentication relies on FIDO2 and WebAuthn — using cryptographic keys stored securely on a user’s device. Identity wallets allow users to manage and reuse digital credentials without exposing personal data. Here a few key principles: no more SMS codes (switch to passkeys and biometrics with liveness detection), single verification (use credentials across systems), continuous authentication (driven by behavior, risk, and device context), decentralized identity (no central database to breach), deepfake-proofing (biometrics must confirm real user presence).