Your MFA Strategy Just Became Your Biggest Liability

What the Stryker attack revealed about the authentication architecture most organizations are still running — and what actually works when everything else fails.

On March 11, 2026, Stryker Corporation discovered what happens when the security system you built to protect your organization becomes the weapon used against it. Attackers gained administrative credentials and used them to trigger a global factory reset across approximately 80,000 devices in 79 countries — no malware, no zero-day exploit, no sophisticated intrusion technique. Just authentication architecture that wasn't built to withstand what came next.

Multi-factor authentication was active. It did exactly what it was configured to do. And the attackers got in anyway.

This is the new reality of device-dependent MFA: a security architecture that closes one door while leaving several others open. Understanding the gap — and what phishing-resistant authentication actually means — is the most urgent identity security decision your organization can make right now.

Why device-dependent MFA failed at Stryker

Device-dependent MFA — the standard authentication model built around SMS codes, authenticator app one-time passwords, and push notifications — was designed assuming one thing: that the authentication event itself is where attackers strike.

Adversary-in-the-middle (AiTM) attacks break that assumption entirely. In an AiTM attack, the user completes a genuine MFA challenge. The attacker, operating a transparent proxy between the user and the identity provider, captures the session token that's issued afterward. There is nothing to intercept at authentication because the attacker isn't there for the authentication — they're there for what comes after it.

This is the mechanism most consistent with the Stryker attack. Threat intelligence identified 278 sets of compromised Stryker credentials between October 2025 and March 2026, with 83 credential exposure events linked to 31 unique email accounts in the five weeks before the attack. Microsoft had enforced MFA on administrative accounts in late 2025. Yet the attacker reached Global Administrator level and issued mass device wipe commands through Microsoft Intune. Session token theft after MFA completion is the most likely explanation — though the initial access vector was not publicly confirmed by Stryker or CISA.

Threat intelligence confirmed by Specops/Outpost24 and Stryker's SEC 8-K filings, March 2026.

The four ways attackers bypass standard MFA

1. Adversary-in-the-Middle (AiTM) session token theft

Phishing-as-a-Service toolkits — Evilginx and others — are now sold pre-configured for AiTM attacks. The attacker hosts a convincing replica of a login page that proxies requests to the real identity provider in real time. The user authenticates successfully. The attacker captures the resulting session token and uses it without ever touching the MFA step. Microsoft reported over 10,000 organizations targeted by AiTM campaigns in 2023–2024, with attacks increasing a further 46 percent in 2025.

Microsoft Digital Defense Report, 2024.

2. MFA fatigue attacks

After obtaining valid credentials, attackers trigger continuous push notification requests until the user approves one just to stop the interruption. Research indicates approximately 25 percent of attacks now use this technique. Verizon's 2025 Data Breach Investigations Report documented a 217 percent year-over-year increase in MFA fatigue incidents. Lapsus$ used this method against Uber — contacting the target via WhatsApp posing as IT support and instructing them to accept the prompt. Cisco was compromised via voice phishing combined with repeated push notifications.

Verizon 2025 Data Breach Investigations Report.

3. SIM swap attacks

Attackers social-engineer mobile carriers into transferring a victim's phone number to a controlled SIM card. All SMS-based MFA codes then route to the attacker. The FBI documented this vector scaling from $12 million in losses across 320 incidents between 2018 and 2020 to $68 million across 1,611 incidents in 2021 alone — a five-fold increase in a single year.

FBI Internet Crime Complaint Center, February 2022.

4. Authentication downgrade

When phishing-resistant methods allow fallback to weaker ones, attackers trigger the fallback. A FIDO2 hardware key deployment that still permits SMS as a backup provides roughly the same protection as SMS alone — because attackers exploit the weakest available path, not the strongest.

What phishing-resistant MFA actually means

Phishing-resistant MFA is not a stronger version of standard MFA — it is a different architecture. Authentication is phishing-resistant when it is cryptographically bound to the specific domain of the legitimate service. A proxy positioned between the user and the identity provider cannot capture and replay the authentication because there is nothing reusable to steal.

CISA designates two approved implementations as phishing-resistant: FIDO2/WebAuthn authentication and PKI-based certificate authentication. FIDO2 security keys and passkeys — including Windows Hello for Business, Apple Face ID, and device-bound passkeys — meet this standard. Each creates a unique cryptographic pair per origin: the authentication response is mathematically impossible to replay against a different domain.

This is the architecture Stryker's administrative accounts needed. It is the architecture CISA explicitly recommended in Advisory AA26-077A following the attack.

Phishing-resistant MFA isn't stronger MFA. It's a different architecture — one that makes session token theft structurally impossible.

The coverage gap device-dependent MFA left behind

Device-dependent MFA was designed for knowledge workers with managed corporate devices. That is a fraction of most organizations' actual workforce.

In manufacturing, healthcare, retail, logistics, and field services — industries that represent the majority of global employment — large portions of the workforce are frontline or deskless workers who have never been issued managed corporate devices. The standard MFA deployment model was never designed for the nurse at a shared terminal, the factory floor operator, the field service technician, or the contractor working across sites.

The practical result: most organizations issued exemption policies rather than solving the underlying authentication problem for these workers. The industry solved MFA for knowledge workers with devices, declared the problem solved, and moved on. That exemption population is now a systematic attack surface.

Avatier's Identity Challenge Card was built specifically to close this gap — air-gapped, deviceless MFA that covers every worker, including the ones device-dependent solutions leave behind.

CISA strongly urges all organizations to implement phishing-resistant MFA as part of Zero Trust principles, explicitly noting that SMS and voice-based MFA methods are vulnerable to SS7 protocol exploitation and SIM swap attacks that allow threat actors to bypass MFA entirely.

CISA phishing-resistant MFA guidance.

The controls that would have stopped the Stryker attack

Multi Admin Approval for destructive actions

Microsoft Intune's Multi Admin Approval feature requires a second administrator to explicitly approve high-impact actions — device wipes, script deployments, RBAC modifications — before they execute. This feature existed before March 11, 2026. It was not configured at Stryker. With it enabled, the attackers would have needed to compromise two independent administrator accounts and coordinate approvals simultaneously — a substantially harder problem. CISA's post-incident advisory specifically identified enabling Multi Admin Approval as a priority mitigation.

CISA Advisory AA26-077A; Microsoft Intune hardening guidance, March 2026.

Privileged Identity Management with no standing admin rights

Privileged Identity Management (PIM) enables just-in-time administrator access. Rather than permanent Global Administrator assignments, administrators request elevation for specific tasks, receive time-limited approval, and access automatically expires. A compromised credential that cannot self-elevate to Global Admin without triggering an approval workflow is dramatically less useful to an attacker.

Phishing-resistant MFA on privileged accounts

FIDO2 security keys or device-bound passkeys on all privileged administrator accounts close the AiTM attack vector where blast radius is highest. The typical cost of $50–$100 per hardware key is a fraction of the cost of a single serious incident.

The test nobody runs

Most organizations run tabletop exercises where everything works. They simulate a breach in a conference room with the network up, identity systems running, and everyone cooperative. Then they declare themselves ready.

The test that matters is the one nobody runs: take your identity system offline. Wipe the devices. Assume the network is compromised. Now try to authenticate a user through your service desk.

That test reveals whether your fallback authentication exists as a real, independent system — or whether it only exists on the assumption that your primary infrastructure will never fail. At Stryker, when devices were wiped and identity systems were unreliable, that assumption failed.

The Change Healthcare parallel

The Change Healthcare breach established the financial scale of a single MFA gap at critical infrastructure. Attackers used stolen credentials to access a Citrix remote access portal with no multi-factor authentication. UnitedHealth CEO Andrew Witty confirmed in congressional testimony that the missing MFA was the foundational failure. The total cost to UnitedHealth reached $3.09 billion by end of 2024 — making it the most expensive MFA gap in recorded history.

UnitedHealth CEO congressional testimony, May 2024.

The pattern at Stryker was different in mechanism — AiTM session token theft rather than absent MFA — but identical in root cause: authentication architecture that assumed the controls were adequate because they technically existed.

What phishing-resistant MFA demands from your architecture

Deploying phishing-resistant MFA requires answering four architectural questions honestly:

Does authentication work when your identity provider is down? If your fallback depends on network connectivity or cloud services, it will fail precisely when you need it most.

Can your service desk verify identity without touching systems an attacker might control? Verification that requires database lookups, API calls, or manager approvals through potentially compromised channels provides no real security during an active incident.

Does every credential have forced lifecycle governance? Phishing-resistant authentication is only as strong as the process for issuing, expiring, revoking, and re-enrolling credentials. A credential that gets issued and never tracked becomes unauthorized access waiting to happen.

Does your authentication architecture cover your entire workforce? Deviceless MFA — authentication that doesn't require a managed corporate device — is a requirement for any workforce with frontline, deskless, or contractor populations. If your MFA deployment requires exemption policies for large groups, those exemptions are your attack surface.

The structural correction

The Stryker attack didn't reveal a weakness in Microsoft Intune. It revealed a weakness in the assumption that device-dependent MFA, properly deployed, closes the authentication problem.

It doesn't.

Multi Admin Approval could have stopped the Stryker attack. Phishing-resistant MFA on administrative accounts could have prevented the initial access. Privileged Identity Management with no standing Global Admin rights could have limited the blast radius even with a compromised credential. None of these are new capabilities. All of them existed before March 11, 2026. The gap wasn't the technology. It was the configuration.

The moment you treat authentication as something that must work when everything else fails, you stop building systems that depend on everything working.

Security achieves legitimacy when it reduces user effort, not when it increases it. The organizations that survive the next serious incident will be the ones that built authentication infrastructure assuming failure — not infrastructure that assumes the network, the identity provider, and the devices will all cooperate.

The question isn't whether your MFA will be tested. The question is whether it will still work when the test comes.

Frequently asked questions

What is an Adversary-in-the-Middle (AiTM) attack?

An AiTM attack uses a transparent proxy between the user and the legitimate identity provider. The user completes MFA on what looks like the real login page, but the attacker captures the session token that's issued afterward and reuses it to access the account — without ever needing to bypass the MFA challenge itself. Microsoft reported over 10,000 organizations targeted by AiTM campaigns in 2023–2024, with attacks increasing a further 46 percent in 2025.

Why didn't MFA stop the Stryker attack?

Stryker's administrative accounts had MFA enforced, but device-dependent MFA only protects the authentication event itself. AiTM attacks bypass that by stealing the session token issued after a successful login. Threat intelligence identified 278 sets of compromised Stryker credentials between October 2025 and March 2026 — meaning the credential exposure that fed the attack predated the device-wipe event by months.

What is phishing-resistant MFA?

Phishing-resistant MFA is authentication cryptographically bound to a specific domain. CISA recognizes two implementations: FIDO2/WebAuthn (security keys, passkeys, Windows Hello for Business, Apple Face ID) and PKI-based certificate authentication. Because the authentication response is mathematically unique to the origin, an attacker proxying a fake login page cannot capture and replay it.

What's the difference between FIDO2 and standard MFA?

Standard MFA layers a second factor (a code, push notification, or SMS) onto a password-based authentication flow. FIDO2 replaces that flow entirely with a cryptographic challenge bound to the domain. The result is structurally immune to phishing — there is nothing reusable for an attacker to steal.

What is Multi Admin Approval in Microsoft Intune?

Multi Admin Approval requires a second administrator to explicitly approve high-impact actions — device wipes, script deployments, RBAC changes — before they execute. Microsoft released the feature before the Stryker attack; it was not configured at Stryker. CISA's post-incident advisory recommended enabling it as a priority mitigation.

How much did the Change Healthcare breach cost?

$3.09 billion in total costs to UnitedHealth by end of 2024, per CEO Andrew Witty's congressional testimony in May 2024. The root cause was a Citrix remote access portal that had no multi-factor authentication. It is the most expensive MFA gap in recorded history.

Why doesn't standard MFA work for frontline and shared-device workers?

Device-dependent MFA was designed for knowledge workers with managed corporate devices. Frontline and shared-device populations — manufacturing, healthcare, retail, logistics, field services — often have no company smartphone, no managed device, and no individual workstation. Most organizations issued exemption policies rather than solving the underlying authentication problem, and those exemptions are now a systematic attack surface.

What is Privileged Identity Management (PIM)?

PIM enables just-in-time administrator access. Instead of permanent Global Administrator assignments, administrators request elevation for specific tasks, receive time-limited approval, and access automatically expires. A compromised credential that cannot self-elevate to Global Admin without triggering an approval workflow is dramatically less useful to an attacker.