And the the weak link is … the human factor.

Not surprisingly, recent reports (see eg. here) describe how attackers abuse even MFA processes based on Authenticator Apps (on mobile phones). Of course it requires anyway some work, in a generic scenario it requires to know already the username and password of the account or service under attack and protected by MFA. But after that, bombing the user with second factor authentication requests on the mobile App (in the middle of the night) sometimes leads to receive access (by someone who actually would like to sleep).

This should not be possible with FIDO2 token or biometrics based MFA, but the “human factor” is often very little predictable…