Passwords, MFA, and why neither is enough

Passwords weren’t enough, so we added MFA. Now MFA isn’t enough either. In this Help Net Security video, Karlo Zatylny, CTO/CISO at Portnox, walks through why each layer of identity security has failed and what comes next.

SMS codes can be intercepted through SIM swapping. Authenticator apps are vulnerable to replay attacks and push bombing. And even when MFA works correctly, session hijacking can let attackers impersonate a user after authentication is complete.

The solution is a third layer built on FIDO2, WebAuthn, and hardware-backed certificates. Instead of relying on a session token alone, each request gets signed with a private key stored in hardware. This makes credential theft far harder, because an attacker would need physical access to the device.

Webinar: The True State of Security 2026