79% of Breach Victims Had MFA Enabled: Why Better MFA Matters |79% of Breach Victims Had MFA Enabled: Why Better MFA Matters

79% of Breach Victims Had MFA Enabled: Why Better MFA Matters |79% of Breach Victims Had MFA Enabled: Why Better MFA Matters

7th May 2026

Thomas D’Eletto, Head of Product, Arculus   

A World Passkey Day reflection on where authentication is headed, and why the direction is right

The 2024–2025 threat data tells a story that should make every CISO, product leader, and board member pay attention. AI hasn't just made attacks more sophisticated — it's made the entire legacy authentication model economically indefensible. And the industry has finally started responding the right way.

The legacy MFA problem is real

Let me be direct about what's failing: the authentication methods we've all leaned on for the past decade.

AI phishing now matches human experts at 95% less cost. A Harvard Kennedy School study tested AI-automated spear phishing against campaigns crafted by professional red teamers — both hit a 54% click-through rate, 4.5x higher than generic phishing baselines. IBM X-Force built a comparable AI campaign in 5 minutes and 5 prompts; their human red team spent 16 hours. Criminal tools like WormGPT now let anyone generate thousands of personalized spear-phishing emails for a fraction of what a single traditional campaign used to cost. SlashNext tracked a 703% surge in credential phishing in the second half of 2024, with 80% of malicious links being zero-day — generated moments before delivery.

The result: FBI IC3 data shows phishing losses jumped from $18.7M in 2023 to $70M in 2024. A 274% increase in a single year.

Here's what makes this particularly painful for security teams: the attacks aren't beating your MFA — they're routing around it. FRSecure analyzed 65 business email compromise incidents in 2024 and found that 79% of victims had MFA properly configured and turned on. Adversary-in-the-middle phishing kits like Tycoon 2FA — available on Telegram — intercept credentials and session tokens simultaneously, in real time. Microsoft sees roughly 40,000 token theft incidents per day, up 111% year-over-year. 

SMS is its own problem. UK fraud body Cifas reported a 1,055% surge in unauthorized SIM swaps in 2024. In Australia, 90% of SIM swap attacks now happen without any victim interaction. eSIM technology has compressed the attack window to under five minutes.

The underlying supply chain is enormous: 2.1 billion credentials stolen by infostealer malware in 2024 (Flashpoint), 17.3 billion stolen session cookies on the dark web (SpyCloud), and 94% of 19 billion exposed passwords reused across accounts (Cybernews). 

Every major threat report agrees on the direction

What's notable about reviewing a dozen major threat reports from 2024–2025 is how clearly they converge — not just on the problem, but on the solution.

CrowdStrike 2025 found that 79% of initial access attacks are malware-free — pure credential abuse. Their recommendation: mandate phishing-resistant MFA such as FIDO2 hardware keys.

Verizon's 2025 DBIR identifies credentials as the #1 initial access vector at 22% of all breaches, and adds something that should put the "just do more security training" argument to rest: phishing click rates are statistically "unaffected by training." Their recommendation is to deploy passwordless, phishing-resistant, device-bound MFA universally. 

IBM's 2024 Cost of a Data Breach report puts credential-based breaches at $4.81M each, with a 292-day containment timeline — the longest of any attack vector.

CISA (December 2024) stated plainly: "The only widely available phishing-resistant authentication is FIDO/WebAuthn." Microsoft, which blocks 600 million identity attacks per day, confirms phishing-resistant MFA stops over 99% of them.

The passkey movement is the right response — and it's working

This is where the story changes from alarming to genuinely encouraging.

The industry has found the answer: FIDO2-based authentication, increasingly delivered through passkeys. The market is moving fast. 87% of enterprises have deployed or are actively deploying passkeys. Google has 800 million accounts using passkeys with 2.5 billion sign-ins. The UAE Central Bank has mandated the elimination of SMS and email OTPs. NIST SP 800-63-4 requires phishing-resistant options at AAL2 and makes them mandatory at AAL3.

Passkeys eliminate the entire category of attack that's been dominating breach reports. There's no password to phish. No session token to intercept. No SMS code to SIM-swap. The credential is device-bound and cryptographically tied to the specific site — a phishing kit that intercepts a passkey authentication gets nothing it can replay. This is a structural change, not an incremental one.

For World Passkey Day, that's worth celebrating clearly: the authentication industry has identified the right direction and the adoption curve is real.

Hardware-backed FIDO2: the strongest expression of the passkey model

Where the conversation gets more nuanced is in the spectrum of passkey implementations.

Synced passkeys — the kind that back up to iCloud Keychain, Google Password Manager, or a cross-platform credential manager — bring phishing resistance to hundreds of millions of users with zero behavior change. That's a significant and legitimate win. They're dramatically better than passwords and SMS OTP, and they're the right default for most consumer scenarios.

Hardware-backed FIDO2 takes the same cryptographic foundation and adds a physical security boundary. The private key never leaves the secure element — it can't be synced, exported, or extracted. Authentication requires physical possession of the device. For high-value transactions, regulated industries, enterprise access, and scenarios where the cost of a compromised credential is severe, that physical attestation changes the risk calculus in ways that software alone can't replicate.

This isn't an argument against synced passkeys — it's an argument for deploying the right level of hardware assurance for the right use case, and for making that hardware layer as frictionless as possible.

The deployment gap

The honest challenge facing the industry right now isn't technical — it's deployment. The gap between "theoretically phishing-resistant" and "actually deployed at scale to real customers" is where most authentication strategies stall.

For enterprise employees, FIDO2 hardware keys are a known, manageable deployment. For retail banking customers, fintechs, and consumer-facing businesses trying to extend phishing-resistant authentication to millions of end users, the friction of a separate security key is a real barrier.

That's the problem Arculus Authenticate was built to solve. Our platform deploys FIDO2 on cards — including the payment cards banks and fintechs are already issuing — so phishing-resistant authentication reaches customers in the form factor they already carry. For enterprise environments, we offer both card-based authenticators and USB-A/C devices with FIPS 140-3 validated cryptographic modules and chip-level attestation. The full stack — hardware, FIDO applet, FIDO server, SDK — is designed for institutions that need to close the deployment gap without asking users to change their behavior.

Where this goes

The threat data is in, and so is the response. Passkeys are the right direction. FIDO2 is the right foundation. The work now is deployment — getting phishing-resistant authentication to every user who needs it, at every risk tier, in the form factor that actually gets used.

The organizations that move fast on this in the next 18 months will separate themselves from the ones still explaining credential breaches to their boards through methods they'd already been warned about.

The question isn't whether to make the shift. It's how quickly you can close the gap.

!