MFA isn’t a checkbox — and attackers already know it

The attacker usually has the password before they even start. What happens next is the whole story — and the kind of MFA most companies switched on was built to lose it.