YOUR MFA STRATEGY JUST BECAME YOUR BIGGEST LIABILITY

What the Stryker attack revealed about the authentication architecture most organizations are still running — and what actually works when everything else fails.

On March 11, 2026, Stryker Corporation discovered what happens when the security system you built to protect your organization becomes the weapon used against it. Attackers gained administrative credentials and used them to trigger a global factory reset across approximately 80,000 devices in 79 countries — no malware, no zero-day exploit, no sophisticated intrusion technique. Just authentication architecture that wasn't built to withstand what came next.

Multi-factor authentication was active. It did exactly what it was configured to do. And the attackers got in anyway.

This is the new reality of device-dependent MFA: a security architecture that closes one door while leaving several others open. Understanding the gap — and what phishing-resistant authentication actually means — is the most urgent identity security decision your organization can make right now.

WHY DEVICE-DEPENDENT MFA FAILED AT STRYKER

Device-dependent MFA — the standard authentication model built around SMS codes, authenticator app one-time passwords, and push notifications — was designed assuming one thing: that the authentication event itself is where attackers strike.

Adversary-in-the-middle (AiTM) attacks break that assumption entirely. In an AiTM attack, the user completes a genuine MFA challenge. The attacker, operating a transparent proxy between the user and the identity provider, captures the session token that's issued afterward. There is nothing to intercept at authentication because the attacker isn't there for the authentication — they're there for what comes after it.

This is the mechanism most consistent with the Stryker attack. Threat intelligence identified 278 sets of compromised Stryker credentials between October 2025 and March 2026, with 83 credential exposure events linked to 31 unique email accounts in the five weeks before the attack. Microsoft had enforced MFA on administrative accounts in late 2025. Yet the attacker reached Global Administrator level and issued mass device wipe commands through Microsoft Intune. Session token theft after MFA completion is the most likely explanation — though the initial access vector was not publicly confirmed by Stryker or CISA.

Threat intelligence confirmed by Specops/Outpost24 and Stryker's SEC 8-K filings, March 2026.

THE FOUR WAYS ATTACKERS BYPASS STANDARD MFA

1. Adversary-in-the-Middle (AiTM) Session Token Theft

Phishing-as-a-Service toolkits — Evilginx and others — are now sold pre-configured for AiTM attacks. The attacker hosts a convincing replica of a login page that proxies requests to the real identity provider in real time. The user authenticates successfully. The attacker captures the resulting session token and uses it without ever touching the MFA step. Microsoft reported over 10,000 organizations targeted by AiTM campaigns in 2023–2024, with attacks increasing a further 46% in 2025.

Microsoft Digital Defense Report, 2024.

2. MFA Fatigue Attacks

After obtaining valid credentials, attackers trigger continuous push notification requests until the user approves one just to stop the interruption. Research indicates approximately 25% of attacks now use this technique. Verizon's 2025 Data Breach Investigations Report documented a 217% year-over-year increase in MFA fatigue incidents. Lapsus$ used this method against Uber — contacting the target via WhatsApp posing as IT support and instructing them to accept the prompt. Cisco was compromised via voice phishing combined with repeated push notifications.

Verizon 2025 Data Breach Investigations Report.

3. SIM Swap Attacks

Attackers social-engineer mobile carriers into transferring a victim's phone number to a controlled SIM card. All SMS-based MFA codes then route to the attacker. The FBI documented this vector scaling from $12 million in losses across 320 incidents between 2018 and 2020 to $68 million across 1,611 incidents in 2021 alone — a five-fold increase in a single year.

FBI Internet Crime Complaint Center, February 2022.

4. Authentication Downgrade

When phishing-resistant methods allow fallback to weaker ones, attackers trigger the fallback. A FIDO2 hardware key deployment that still permits SMS as a backup provides roughly the same protection as SMS alone — because attackers exploit the weakest available path, not the strongest.

WHAT PHISHING-RESISTANT MFA ACTUALLY MEANS

Phishing-resistant MFA is not a stronger version of standard MFA — it is a different architecture. Authentication is phishing-resistant when it is cryptographically bound to the specific domain of the legitimate service. A proxy positioned between the user and the identity provider cannot capture and replay the authentication because there is nothing reusable to steal.

CISA designates two approved implementations as phishing-resistant: FIDO2/WebAuthn authentication and PKI-based certificate authentication. FIDO2 security keys and passkeys — including Windows Hello for Business, Apple Face ID, and device-bound passkeys — meet this standard. Each creates a unique cryptographic pair per origin: the authentication response is mathematically impossible to replay against a different domain.

This is the architecture Stryker's administrative accounts needed. It is the architecture CISA explicitly recommended in Advisory AA26-077A following the attack.

CISA Advisory AA26-077A, March 18, 2026.

"Phishing-resistant MFA isn't stronger MFA. It's a different architecture — one that makes session token theft structurally impossible."

THE COVERAGE GAP DEVICE-DEPENDENT MFA LEFT BEHIND

Device-dependent MFA was designed for knowledge workers with managed corporate devices. That is a fraction of most organizations' actual workforce.

In manufacturing, healthcare, retail, logistics, and field services — industries that represent the majority of global employment — large portions of the workforce are frontline or deskless workers who have never been issued managed corporate devices. The standard MFA deployment model was never designed for the nurse at a shared terminal, the factory floor operator, the field service technician, or the contractor working across sites.

The practical result: most organizations issued exemption policies rather than solving the underlying authentication problem for these workers. The industry solved MFA for knowledge workers with devices, declared the problem solved, and moved on. That exemption population is now a systematic attack surface.

Avatier’s Identity Challenge Card was built specifically to close this gap — air-gapped, deviceless MFA that covers every worker, including the ones device-dependent solutions leave behind.

CISA strongly urges all organizations to implement phishing-resistant MFA as part of Zero Trust principles, explicitly noting that SMS and voice-based MFA methods are vulnerable to SS7 protocol exploitation and SIM swap attacks that allow threat actors to bypass MFA entirely.

CISA phishing-resistant MFA guidance.

THE CONTROLS THAT WOULD HAVE STOPPED THE STRYKER ATTACK

Multi Admin Approval for Destructive Actions

Microsoft Intune's Multi Admin Approval feature requires a second administrator to explicitly approve high-impact actions — device wipes, script deployments, RBAC modifications — before they execute. This feature existed before March 11, 2026. It was not configured at Stryker. With it enabled, the attackers would have needed to compromise two independent administrator accounts and coordinate approvals simultaneously — a substantially harder problem. CISA's post-incident advisory specifically identified enabling Multi Admin Approval as a priority mitigation.

CISA Advisory AA26-077A; Microsoft Intune hardening guidance, March 2026.

Privileged Identity Management with No Standing Admin Rights

Privileged Identity Management (PIM) enables just-in-time administrator access. Rather than permanent Global Administrator assignments, administrators request elevation for specific tasks, receive time-limited approval, and access automatically expires. A compromised credential that cannot self-elevate to Global Admin without triggering an approval workflow is dramatically less useful to an attacker.

Phishing-Resistant MFA on Privileged Accounts

FIDO2 security keys or device-bound passkeys on all privileged administrator accounts close the AiTM attack vector where blast radius is highest. The typical cost of $50–$100 per hardware key is a fraction of the cost of a single serious incident.

THE TEST NOBODY RUNS

Most organizations run tabletop exercises where everything works. They simulate a breach in a conference room with the network up, identity systems running, and everyone cooperative. Then they declare themselves ready.

The test that matters is the one nobody runs: take your identity system offline. Wipe the devices. Assume the network is compromised. Now try to authenticate a user through your service desk.

That test reveals whether your fallback authentication exists as a real, independent system — or whether it only exists on the assumption that your primary infrastructure will never fail. At Stryker, when devices were wiped and identity systems were unreliable, that assumption failed.

THE CHANGE HEALTHCARE PARALLEL

The Change Healthcare breach established the financial scale of a single MFA gap at critical infrastructure. Attackers used stolen credentials to access a Citrix remote access portal with no multi-factor authentication. UnitedHealth CEO Andrew Witty confirmed in congressional testimony that the missing MFA was the foundational failure. The total cost to UnitedHealth reached $3.09 billion by end of 2024 — making it the most expensive MFA gap in recorded history.

UnitedHealth CEO congressional testimony, May 2024.

The pattern at Stryker was different in mechanism — AiTM session token theft rather than absent MFA — but identical in root cause: authentication architecture that assumed the controls were adequate because they technically existed.

WHAT PHISHING-RESISTANT MFA DEMANDS FROM YOUR ARCHITECTURE

Deploying phishing-resistant MFA requires answering four architectural questions honestly:

Does authentication work when your identity provider is down? If your fallback depends on network connectivity or cloud services, it will fail precisely when you need it most.

Can your service desk verify identity without touching systems an attacker might control? Verification that requires database lookups, API calls, or manager approvals through potentially compromised channels provides no real security during an active incident.

Does every credential have forced lifecycle governance? Phishing-resistant authentication is only as strong as the process for issuing, expiring, revoking, and re-enrolling credentials. A credential that gets issued and never tracked becomes unauthorized access waiting to happen.

Does your authentication architecture cover your entire workforce? Deviceless MFA — authentication that doesn't require a managed corporate device — is a requirement for any workforce with frontline, deskless, or contractor populations. If your MFA deployment requires exemption policies for large groups, those exemptions are your attack surface.

THE STRUCTURAL CORRECTION

The Stryker attack didn't reveal a weakness in Microsoft Intune. It revealed a weakness in the assumption that device-dependent MFA, properly deployed, closes the authentication problem.

It doesn't.

Multi Admin Approval could have stopped the Stryker attack. Phishing-resistant MFA on administrative accounts could have prevented the initial access. Privileged Identity Management with no standing Global Admin rights could have limited the blast radius even with a compromised credential. None of these are new capabilities. All of them existed before March 11, 2026. The gap wasn't the technology. It was the configuration.

"The moment you treat authentication as something that must work when everything else fails, you stop building systems that depend on everything working."

Security achieves legitimacy when it reduces user effort, not when it increases it. The organizations that survive the next serious incident will be the ones that built authentication infrastructure assuming failure — not infrastructure that assumes the network, the identity provider, and the devices will all cooperate.

The question isn't whether your MFA will be tested. The question is whether it will still work when the test comes.

The Stryker attack didn’t require sophisticated malware or a zero-day exploit. It required one compromised credential and an authentication architecture that assumed the controls were adequate because they technically existed. When devices were wiped and identity systems went down, there was no fallback that worked independently of the infrastructure that had just failed.

That’s exactly the problem the Avatier Identity Challenge Card was built to solve — air-gapped, deviceless MFA that verifies the human, not the hardware. No phone. No app. No network. Three factors on a printed card that works the day traditional MFA fails.

See the Identity Challenge Card

Try Avatier Today