Why SMS Codes Are No Longer Enough: A Canadian SMB Guide to Phishing-Resistant MFA

For the last four years, the standard advice for Canadian SMBs on account security was simple: enable multi-factor authentication. Use an authenticator app instead of SMS codes. Your accounts will be protected.

That advice is no longer enough.

On February 25, 2024, the City of Hamilton's IT systems were hit by ransomware. The attack knocked out 80 percent of the city's network and exposed sensitive data belonging to residents and employees. The total cost of cleanup and recovery came to $18.3 million. When the city filed its insurance claim, the insurer denied it — citing the absence of fully implemented multi-factor authentication as the root cause of the breach. The city's own policy excluded coverage for any losses where absence of MFA was the root cause. Staff had been aware of the MFA requirement in their policy since 2022. The third-party legal review the city commissioned confirmed the denial was valid. (CBC News, August 2025)

The $18.3 million bill landed with taxpayers — not the insurer.

The Hamilton case is now the most-cited real-world example in Canadian cybersecurity discussions for one reason: it is not unusual. It is what MFA failure looks like when the invoice arrives.

The New Attack That Bypasses Your Existing MFA

The problem for organizations that have already deployed MFA is that traditional methods — SMS codes, push notifications, time-based one-time passwords from apps like Microsoft Authenticator — are now routinely bypassed by a class of attack called adversary-in-the-middle phishing (AiTM).

Here is how it works. An employee receives a convincing phishing email leading to a fake login page that in real time proxies their credentials and MFA code to the real service (Microsoft 365, Google Workspace, a VPN portal). The attacker captures not just the password but the authenticated session token. By the time the employee's MFA app shows "Login approved," the attacker already has an active authenticated session that will remain valid for hours or days — no further MFA challenges required.

This is not a theoretical vulnerability. The Canadian Centre for Cyber Security documented more than 100 AiTM campaigns specifically targeting Canadian Microsoft Entra ID tenants between 2023 and early 2025. Microsoft's own telemetry recorded a 146% increase in AiTM phishing attacks across 2024. (Microsoft Digital Defense Report 2025)

The dominant kit enabling this wave, Tycoon 2FA, cost as little as $120 USD for 10 days of access and accounted for approximately 76% of all phishing-as-a-service attacks globally. Before its March 2026 takedown coordinated by Europol and Microsoft, it served more than 2,000 operators and generated phishing messages reaching over 500,000 organizations per month. (Microsoft Security Blog, March 2026) New variants — Starkiller, Mamba 2FA, Whisper 2FA — have emerged to fill the gap.

The capability has been democratized. A threat actor does not need technical sophistication to launch an MFA-bypass phishing campaign against a Canadian SMB. They need a subscription and an email list.

The Scale of the Identity Attack Problem

The full scope is visible in Microsoft's numbers. The Microsoft Digital Defense Report 2025 documents more than 7,000 password attacks per second against Microsoft Entra ID — totalling over 600 million identity attacks every day. Ninety-seven percent of those attacks are password-based. Even with conventional MFA in place, attackers who capture session tokens via AiTM continue to operate in compromised accounts, often for weeks before detection.

For Canadian SMBs — most of whose workforces run on Microsoft 365 — this threat is direct and current. The CIRA 2025 Cybersecurity Survey found that 43% of Canadian organizations experienced a cyber attack in the past 12 months. The attack vector in the majority of these incidents was a phishing email.

What "Phishing-Resistant" Actually Means

Not all MFA is equal. The term phishing-resistant has a specific technical meaning: it refers to authentication methods where the cryptographic protocol itself prevents interception by an attacker-controlled proxy. The two primary phishing-resistant technologies are:

FIDO2 / Passkeys: Authentication is performed via a cryptographic challenge tied to the specific domain of the legitimate service. An AiTM proxy cannot relay a FIDO2 challenge from your real Microsoft 365 login because the domain in the challenge will not match the attacker's proxy domain — the authentication fails at the protocol level, before any credential is shared.

Certificate-Based Authentication (CBA): Smart cards or device certificates that perform mutual authentication, also cryptographically bound to the legitimate service.

By contrast, the following methods are not phishing-resistant:

SMS OTP carries additional risk beyond AiTM: SIM swapping attacks, where a threat actor social-engineers your carrier into porting your phone number to their SIM, give attackers direct receipt of every SMS code sent to the compromised number. Several Canadian carriers have experienced SIM swap fraud targeting business accounts.

What the CCCS Requires

The Canadian Centre for Cyber Security has been unambiguous. The Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), v1.2 — updated January 2026 — identifies enabling MFA as the single most important IT security action a Canadian organization can take.

Beyond the baseline, the CCCS published ITSM.30.031 specifically to address AiTM attacks targeting Canadian organizations. The guidance recommends deploying phishing-resistant MFA (FIDO2 and passkeys) for all users — not just administrators — and is explicit that traditional MFA methods do not protect against the AiTM campaigns the CCCS is actively tracking against Canadian Microsoft Entra tenants.

In 2026, the CCCS issued Advisory AL26-010, warning Canadian organizations about a wave of social-engineering attacks where criminals impersonate IT staff, identity providers, or trusted vendors — contacting employees by phone and directing them to authenticate to attacker-controlled portals. The recommended defense is phishing-resistant MFA that cannot be relayed through a proxy, regardless of what an employee believes they are authenticating to.

For organizations in federally regulated industries, the requirements go further. OSFI Guideline B-13 (effective January 1, 2024) is the first formal Canadian regulatory directive requiring federally regulated financial institutions to implement risk-based identity controls — explicitly moving institutions beyond SMS OTP, which the guideline treats as inadequate for high-risk access scenarios.

What Cyber Insurers Now Require

The Hamilton case had a direct effect on how Canadian cyber insurers underwrite small business policies. Most major Canadian carriers now list phishing-resistant MFA for privileged accounts — administrator access, finance roles, executive accounts, remote access portals — as a coverage condition, not a recommended practice.

Legacy SMS codes no longer satisfy most Canadian underwriters. Number-matching push is treated as the minimum floor. Hardware FIDO2 security keys or passkeys are strongly preferred for accounts with access to financial systems, customer data, or administrative infrastructure.

A business applying for cyber insurance renewal that cannot demonstrate phishing-resistant MFA on privileged accounts is likely to face premium increases, reduced coverage limits, or explicit exclusions for credential-based incidents. In the worst case — as Hamilton demonstrated — it faces a valid claim the insurer will not pay.

A Practical Implementation Path for Canadian SMBs

The FIDO Alliance reported that 5 billion passkeys are now in use globally, with 68% of organizations having deployed or actively deploying passkeys for employee sign-ins as of May 2026. The technology is mature and the tooling for Microsoft 365 and Google Workspace deployment is well-documented.

A two-track approach works for most Canadian SMBs:

Track 1 — Privileged users (complete first)

Target: IT administrators, finance team, executives, HR and payroll, anyone with access to sensitive customer data or financial systems. These accounts carry the greatest insurance and compliance exposure.

• Deploy hardware FIDO2 security keys (YubiKey, Google Titan Key) or configure passkeys in Microsoft Entra ID or Google Workspace
• Enable Conditional Access policies requiring phishing-resistant MFA for access to sensitive applications
• Disable legacy authentication protocols (SMTP auth, basic auth) that bypass MFA entirely

Track 2 — General workforce (next 90 days)

For all other users, move from SMS OTP to at minimum number-matching push with device compliance policies, then to synced passkeys as the workforce becomes comfortable with the experience.

• Enable number-matching in Microsoft Authenticator (closes MFA fatigue attack vector)
• Roll out Microsoft Authenticator passkey support (generally available in Microsoft Entra as of 2025)
• Communicate to staff why authentication is changing before the change happens — training reduces friction

Across both tracks:

• Disable SMS and email OTP as allowed authentication methods in your identity provider
• Review and revoke legacy authentication protocols and third-party app permissions that use delegated OAuth without MFA enforcement
• Subscribe to CCCS Alerts and Advisories for timely guidance on emerging identity threats

The full Track 1 deployment can be completed in a week for most Canadian SMBs. It is, alongside immutable backups, the single change most likely to prevent the incident that tests whether your cyber insurance policy pays.

Sources

• CBC News. *Insurance won't cover $5M in City of Hamilton claims for cyberattack, citing lack of log-in security.* August 2025. cbc.ca
• Microsoft. *Microsoft Digital Defense Report 2025: Extortion and ransomware drive over half of cyberattacks.* October 2025. news.microsoft.com
• Microsoft Security Blog. *Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale.* March 2026. microsoft.com
• Canadian Centre for Cyber Security. *Defending against adversary-in-the-middle threats with phishing-resistant multi-factor authentication (ITSM.30.031).* 2025. cyber.gc.ca
• Canadian Centre for Cyber Security. *Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), v1.2.* January 2026. cyber.gc.ca
• Canadian Centre for Cyber Security. *AL26-010 — Cyber Criminals Social-Engineering-Enabled Compromise of Enterprise SaaS Environments.* 2026. cyber.gc.ca
• CIRA. *2025 Cybersecurity Survey.* cira.ca
• Office of the Superintendent of Financial Institutions. *Technology and Cyber Risk Management (Guideline B-13).* osfi-bsif.gc.ca
• FIDO Alliance. *FIDO Alliance Reports Accelerating Global Passkey Adoption on World Passkey Day 2026.* May 2026. fidoalliance.org

Cloud Forces helps Canadian SMBs deploy phishing-resistant MFA for Microsoft 365 and Google Workspace environments — including FIDO2 hardware key provisioning, Conditional Access policy configuration, and legacy protocol remediation. If you're not sure whether your current authentication setup would satisfy your cyber insurer's requirements or the CCCS baseline, book a free identity security assessment or explore our cybersecurity services.