I see it all the time in incident response summaries. It’s happened to our own customers many times. Standard “enter a few numbers” MFA is easy. Phishers collect it just like they get passwords. It raises the bar slightly. Hardware based MFA is a different situation. So it has to be qualified. But normal people logging intoxicated their bank accounts don’t have hardware MFA tokens. Most security professionals don’t even use them everywhere.

We run phishing simulations and red teams dozens of times a year for F500 and high tech firms. MFA tokens are never what saves someone. Ever. We always get in. Often with phishing or smishing.

I talk with many other folks that do red teams and phishing engagements.it’s of course anecdotal, but it’s a rather large and high impact customer set across people I know and our own customers.

It will save some people some of the time. But not like people think.

If my own deep experience and what I have seen in the field doesn’t convince you, that’s fine. I’m just sharing what I know to help people understand.