MFA Won't Save You: How Device Code Phishing Bypasses Your Strongest Authentication
·2038 words·10 mins
Device code phishing has gone from a niche state-sponsored technique to a commoditized attack with at least 11 phishing kits and a 37x surge in 2026. The attack abuses the legitimate OAuth 2.0 Device Authorization Grant flow, routes victims through real Microsoft login pages, and bypasses MFA entirely. What practitioners need to understand.