Multi-factor protection materially lowers the chance that an attacker who obtains or guesses credentials can access an account on a custodial service, but it does not eliminate all risk. Evidence from security research and guidance shows multi-factor authentication (MFA) is an important control, while real-world incidents illustrate residual attack paths that bypass or undermine it.
Evidence from research and standards
Research by Elie Bursztein Google highlights that phishing-resistant authenticators such as hardware security keys drastically reduce successful account takeovers compared with passwords alone or SMS codes. Alex Weinert Microsoft has described industry telemetry showing strong reductions in automated account compromise when additional factors are required. The National Institute of Standards and Technology recommends avoiding weak out-of-band factors such as SMS and moving toward cryptographic, phishing-resistant methods in NIST Special Publication 800-63B. The FIDO Alliance also documents how public-key based authenticators mitigate common phishing techniques. These sources converge on the conclusion that strong MFA provides significantly better protection than single-factor authentication.
Causes of residual compromise
Attackers adapt. Common residual paths include SIM swap attacks that capture SMS codes, social engineering of customer support to reset access, session hijacking via stolen cookies, malware that reads app-based codes, and insider threats at custodial firms. API keys and delegated access tokens can be misused even when account logins are protected. Geographic and cultural factors matter: SMS remains widely used in many countries where telecom fraud and SIM portability practices are weaker, increasing local risk. Resource-constrained custodians may still rely on less secure recovery flows that attackers exploit.
Consequences and practical implications
When custodial accounts are compromised the consequences include direct financial loss, cascading trust and liquidity impacts on platforms, and reputational harm for providers and users. For the strongest reduction in takeover risk, custodial services should deploy phishing-resistant MFA, tighten account recovery, monitor for anomalous behavior, and limit privileged insider access. Users should prefer security keys or platform authenticators and avoid SMS where possible. MFA is a major risk reducer but must be implemented with modern, holistic controls to address the remaining threat vectors.