Why Traditional MFA Fails Against Scattered Spider

MFA: Strong but Not Infallible

Multi‑factor authentication (MFA) is a cornerstone of modern security. By requiring something you know (a password) and something you have (a token or device), it dramatically reduces the risk of compromised credentials. However, MFA is only as strong as the process used to issue and manage the second factor. For years, organizations relied on SMS codes, email links and push notifications to authenticate users. Attackers have adapted. Social‑engineering groups like Scattered Spider exploit the help desk to reset MFA devices or enroll new ones, rendering traditional MFA useless. Obsidian Security notes that attackers have figured out ways to subvert MFA in 70 % of SaaS breaches. A single phone call can undo the protection of a sophisticated authentication system.

Scattered Spider’s MFA Bypass Tactics

Scattered Spider’s playbook targets the weakest link: people. Attackers collect personal information about their victims from social media, data breaches and internal directories. They then call the help desk posing as the employee, claiming that they have lost their phone or changed numbers. The Hacker News describes how scammers convincingly ask the agent to remove the existing MFA and allow enrollment of a new device. Attackers may ask to send the reset link to a different email or phone, thereby receiving the MFA reset themselves. Once they have a valid second factor, they perform a self‑service password reset and take over the account.

Scattered Spider also employs MFA fatigue. They bombard a victim with push notifications until the user approves one out of frustration. Attackers may call the victim and claim to be from IT support, instructing them to approve the push. Vishing, or voice phishing, is another tactic: attackers convince help‑desk agents to reset MFA by sounding urgent and authoritative. Generative AI tools allow them to clone voices, making impersonation even more convincing. SIM swapping enables attackers to steal phone numbers and intercept SMS codes. In each case, the attacker’s success depends on manipulating a human rather than defeating a technical control.

The Limits of Legacy MFA

Traditional MFA suffers from several weaknesses:

• Reliance on knowledge‑based authentication– Help‑desk agents often rely on security questions or one‑time codes to verify callers. As the SVMIC article notes, attackers gathered enough information about MGM and Caesars employees to answer security questions and request password and MFA resets. Knowledge‑based methods are ineffective when personal data is widely available.
• Insecure channels– SMS messages can be intercepted via SIM swaps or SS7 attacks. Email can be compromised through phishing. Push notifications rely on user vigilance and can be abused through MFA fatigue.
• Delegated enrollment– Many systems allow help‑desk agents to enroll or reset MFA devices on behalf of users. Attackers exploit this by convincing agents to send reset links to them. Industrial Cyber reports that the FBI observed Scattered Spider convincing help‑desk services to add unauthorized MFA devices.
• Uniform processes– Large organizations often use the same reset process for all accounts. As the Hacker News points out, this means attackers can target high‑privilege accounts and skip typical privilege‑escalation steps.

These limitations show that MFA alone is not enough to defend against social‑engineering attacks. Without robust identity verification and process controls, attackers can bypass MFA with a phone call.

The Verification Approach That Works

To defend against groups like Scattered Spider, organizations must verify identities before resetting MFA. Effective solutions combine technology, process and training:

1. Secure identity proofing– When a user requests an MFA reset, require them to complete a verification via a secure app. They should scan a government ID, take a selfie and prove possession of the original device or a registered token. Nametag highlights that advanced identity verification technologies leverage AI and cryptography to prevent deepfakes. Document verification and liveness detection ensure that attackers cannot use stolen data or voice clones to impersonate employees.
2. Phishing‑resistant MFA– Adopt FIDO2 passkeys and hardware tokens that bind authentication to the user’s device and cannot be replayed. Even if an attacker intercepts a code, they cannot use it without the private key stored on the device. Use biometric unlock on the device to add a third factor.
3. Process controls– Implement scripts for help‑desk agents that require call‑backs to numbers on file and multi‑party approval for high‑privilege accounts. Deny requests to send reset links to new email addresses or phones unless the user has verified through the secure identity‑proofing process.
4. Awareness and training– Educate employees about MFA fatigue and voice phishing. Encourage them to question unexpected requests and to report suspicious calls. Train help‑desk agents to detect urgency and to follow protocol even under pressure.
5. Continuous monitoring– Monitor for abnormal patterns, such as multiple MFA resets or repeated help‑desk calls from the same number. Logging and analytics help detect social‑engineering attempts early.
6. Zero‑trust philosophy– Treat every request as untrusted until proven otherwise. Combine contextual signals like device type, geolocation and recent activity when evaluating MFA resets.

Platforms like Trusona operationalize these principles. When a user calls the help desk, the agent sends a secure verification request. The user completes identity proofing on their phone, and the platform automatically approves or denies the reset. The process creates a tamper‑proof audit trail. By removing the agent’s discretion, Trusona prevents social‑engineering attacks that rely on convincing an agent to break protocol. The FBI recommends tightening help‑desk verification processes before adding devices or resetting MFA. Purpose‑built solutions implement this guidance and give organizations confidence that MFA resets are legitimate.

Conclusion

Scattered Spider has shown that traditional MFA can be defeated with a phone call. By exploiting help‑desk procedures and human psychology, attackers convince agents to reset MFA devices, enroll new devices and send reset links to unauthorized recipients. High‑profile breaches at MGM Resorts, Caesars Entertainment and other companies prove that the cost of MFA failure can be enormous. Legacy MFA methods that rely on knowledge‑based authentication, SMS codes and push notifications are insufficient. Organizations must adopt a verification‑first approach that combines secure identity proofing, phishing‑resistant MFA, strict process controls and ongoing training. Platforms like Trusona implement these measures, ensuring that when an MFA reset is requested, the person behind the request is the legitimate user. Only by addressing the human element can companies defend against Scattered Spider and similar social‑engineering threats.