Multi-factor authentication was the most successful single control of the 2010s. It eliminated an entire class of credential-only attacks and forced adversary tooling to evolve. It did not, however, change the fundamental architecture of the systems behind the door — and that is where the consequential losses now occur.
WHY MFA IS NOT ENOUGH — STRUCTURAL ARGUMENT
Help-desk vishing, push-bombing, session-token theft via reverse proxies, and SIM-swap attacks have moved from advanced to commodity. The 2023 MGM and Caesars intrusions, the 2024 Snowflake campaign, and the 2025 Marks & Spencer attack all began with MFA-bypass against the operator, not the customer.
The defensive response — phishing-resistant MFA, hardware tokens, conditional access — is necessary and useful. It is also, on the trajectory we observe, a containment of the symptom rather than a removal of the structural problem.
PULSE engineers environments in which authentication grants the authenticated party access to a presentation layer over a substrate that holds nothing the authenticated party can extract in unrelated form. The strength of the authentication ceremony becomes a defence-in-depth element, not the load-bearing structure.
— PULSE POSITION
MFA defends the door. We have spent the past several years engineering the room behind the door so that what an adversary obtains, when the door is opened, cannot be exchanged for value.
CLASSIFIED — NDA REQUIRED
— deployment topology, cryptographic primitives, sector-specific implementation, and the quantified outcome model on which we engage —
Request Briefing →STRATEGIC BRIEFING — AVAILABLE UNDER NDA