The Importance of Using Multi-Factor Authentication

MFA can be used as part of conditional access policies, such as those based on geolocation. For example, if the user attempts to log in from a trusted location, like a corporate office, MFA is bypassed. However, if the user logs in from an unfamiliar or high-risk location, MFA is enforced.  

A way to enhance the security of MFA is through passwordless authentication, which removes the “something you know” (password) factor from authentication and instead relies on other factors such as “something you are” (biometrics), and “something you have” (hardware token). It can also be combined with other factors, such as “somewhere you are” like IP address or geo-location. Passwordless authentication is more secure than using passwords; however, it is still only a single factor of authentication and should be used in conjunction with MFA rather than replacing it.     

Using MFA has multiple advantages, primarily that it significantly increases the security of sensitive or protected resources and defends against identity theft and fraud. MFA mitigates the risk of common attack methods used by threat actors, such as brute force attacks, credential stuffing, keylogging and phishing. These attacks become ineffective because, even if an attacker steals user credentials, they cannot access the account or resource without access to the second authentication factor.  

MFA also ensures regulatory compliance in industries with stricter security standards that mandate its implementation, such as in healthcare and cardholder data environments, which are governed by HIPAA in the US and PCI-DSS 4.0, respectively.  

MFA does have several vulnerabilities. With SIM swapping, an attacker convinces a mobile carrier to transfer a victim’s phone number to a new SIM card under the attacker’s control. If the victim’s MFA relies on SMS-based one-time passwords (OTPs), the attacker can intercept the OTPs and gain access to the victim’s accounts. Attackers can also intercept or redirect SMS-based OTPs, leaving accounts vulnerable. SMS-based MFA is therefore considered the least secure form of MFA.  

Threat actors can also use advanced phishing attacks, tricking victims into entering their authentication details into fraudulent websites, exposing their accounts. Criminals may use social engineering tactics such as calling or emailing the victim, impersonating a legitimate entity, and tricking them into revealing their secondary authentication factor, such as a code from an authentication app or hardware token. MFA fatigue is also a concern; an attacker who has already obtained a target’s username and password will repeatedly send MFA push notifications to the target’s device, hoping the user will erroneously approve the request.

MFA’s biggest weakness lies in the humans who use it. Therefore, effective training is the most important step businesses can take to protect themselves. Organizations need to explain to employees why MFA is needed, how it works, and address common employee concerns over its potential inconvenience. Employees should be trained to recognize phishing attempts used to steal MFA codes, report unauthorized MFA requests, and practice good password management (using unique, long, and complex passwords, avoiding common words, etc.). 

While MFA significantly improves the security of sensitive resources, it cannot be relied on as the only layer of protection; rather, it should be implemented as a complementary layer as part of a defense-in-depth strategy. The added security that MFA provides makes it far more effective than traditional authentication methods. In an increasingly digital world where cyber threats are more sophisticated, adopting MFA, alongside effective training, is essential to safeguard sensitive data and ensure the integrity of online transactions.

Learn more about leveraging our industry-leading regional and subject matter experts for intelligence that helps your organization stay ahead of risks to your people and operations.