Multifactor Authentication

Password-based security has become the weakest link in enterprise defence systems. Multifactor Authentication (MFA) serves as a formidable cybersecurity control that adds critical layers of protection against credential theft, phishing attacks, and account compromise. Organisations are increasingly adopting cloud-first architectures and remote work models. In turn, identity has emerged as the new security perimeter, and MFA acts as the primary gatekeeper. Research by Microsoft demonstrates that MFA can block more than 99.2% of account compromise attacks, making it an essential component of any robust enterprise security framework.

Multifactor authentication (MFA) is an essential security protocol that requires two or more verification factors to access an account or system. This approach moves beyond single-password protection by combining multiple authentication elements. Should anyone phish or social engineer a user’s password, the attacker would be unable to authenticate into an account without the secondary authentication requirement.

MFA authentication factors typically fall into three distinct categories:

• Something you know: Knowledge-based factors like passwords, PINs, or security questions
• Something you have: Possession-based factors such as mobile devices, hardware tokens, or smart cards
• Something you are: Biometric factors, including fingerprints, facial recognition, or voice patterns

By requiring at least two factors from different categories, MFA creates multiple barriers that attackers must overcome. This layered approach significantly reduces the likelihood of a successful account attack even when one authentication factor is compromised.

MFA was invented because passwords and usernames are often easy to guess or steal.

Computing power has accelerated the pace of attempted brute force attacks on passwords. Current computing power allows an attacker to send millions of brute-force attempts per second at a user’s encrypted password. When quantum computing is finally introduced, basic passwords, even those with the strongest encryption libraries, will be rendered obsolete.

Another problem with current password workflows is the reuse of the same passwords across multiple systems. It’s impossible for users to remember unique 10-character passwords on dozens of systems, so they will often use the same one on multiple platforms. If an attacker can steal the password of one account, they can breach multiple platforms. Password vaults offer a way for users to store multiple passwords without needing to memorise them, but breaching a vault creates the same vulnerability.

MFA is designed to neutralise brute-force password attacks and phishing. Though the basic functionality is the same, there are several ways to deploy MFA, depending on the secondary authentication requirement.

Step 1: Initial Login Attempt

Users start by entering their usual username and password. This is the first piece of evidence that you are who you claim to be. Once these details are verified, the system asks for additional verification.

Step 2: Second Factor Activation

Next is a prompt for the second layer of security. MFA systems often involve a text message with a code, a notification on your phone to approve, or a request to scan your fingerprint or face. The exact method depends on what your company has set up and your personal preferences.

Step 3: Verification and Access

Finally, you respond to that second security check. You might type in a code that changes every 30 seconds, tap “approve” on your phone, or complete a quick biometric scan. Once you’ve cleared both security hurdles, you’re granted access to whatever you were trying to reach.

The most common method in MFA workflows is the use of an access token, typically a one-time password (OTP) sent to the user’s smartphone via text messaging. A personal identification number (PIN) sent to the user’s smartphone is the most common way to add MFA to the authentication process. Most users have smartphones, so it’s a way to ensure that users will be unable to use the MFA system. In recent years, commodity phishing tools, also known as phish kits, have gained the ability to circumvent MFA. On one of these phishing sites, the attacker doesn’t just create a facsimile of the login page; they use a lookalike domain name and a transparent reverse proxy to present the victim with real content drawn from the page they expect to see. The victim logs in, seemingly as normal, allowing the attacker to intercept their MFA token and take over the account.

Because of the SS7 protocol vulnerability, many companies using MFA have moved towards sending OTP using data channels. Email is one option, but it leaves the user vulnerable should their email accounts get hacked. Using authenticators installed on the user’s device is a better option. Authenticators display PINs that a user can enter into the authentication system, serving as the secondary step during multifactor authentication.

Biometrics is a much safer option than using PINs, because this secondary authentication step cannot be intercepted. However, this method has its own disadvantages. Biometric systems are expensive and have not yet been perfected, making them difficult for users and companies to integrate into their existing systems. They’ve become much cheaper and have more widespread adoption; they’re in almost every modern smartphone, and even desktop PCs have biometric authentication features such as Windows Hello, but they still cannot be integrated as easily on desktop applications.

Organisations today can leverage a diverse range of MFA implementation options, each with distinct security levels and user experience considerations. The choice of MFA method should align with an organisation’s risk tolerance, user technical proficiency, and operational requirements.

SMS/Email-based Codes

SMS and email-based authentication send temporary codes to users’ registered phone numbers or email addresses for verification. While convenient and requiring no additional hardware, these methods are considered the least secure MFA options due to vulnerabilities like SIM swapping attacks and email account compromises. SMS authentication is particularly susceptible to interception since phone numbers are often publicly available and can be targeted through social engineering techniques.

Authenticator Apps (TOTP)

Time-based One-Time Password (TOTP) authenticator apps generate six-digit codes that refresh every 30-60 seconds on users’ mobile devices. This method offers significantly better security than SMS, as codes are generated locally on the device and are therefore difficult to intercept. The primary limitation is that users must have their mobile device available and the app properly configured to access the generated codes.

Push Notifications

Push notification MFA sends approval requests directly to users’ registered mobile devices, allowing them to approve or deny login attempts with a simple tap. This method provides an excellent user experience and is currently the most popular MFA method after passwords, used by 29% of organisations according to Okta research. However, push notifications can be vulnerable to “notification fatigue”, where users might accidentally approve malicious requests.

Hardware Tokens

Hardware tokens are physical devices that generate time-sensitive codes or connect via USB for authentication. These devices offer robust security, as they’re difficult to clone or compromise remotely. The main drawbacks include higher implementation costs and the risk of users losing or forgetting their tokens, which can lead to account lockouts.

Biometrics (Fingerprint, Retina, Facial Recognition)

Biometric authentication uses unique physical characteristics like fingerprints, facial features, or retinal patterns to verify a user’s identity. This method offers high security and convenience since users cannot forget or lose their biometric data. However, biometric systems require specialised hardware and raise privacy concerns about storing sensitive personal data. Also, biometric data cannot be changed if compromised.

Smartcards or USB Keys (e.g., YubiKey)

USB security keys and smartcards provide cryptographic authentication through physical insertion into devices or near-field communication (NFC) connectivity. These methods offer excellent security and work across multiple devices and platforms. The primary challenges include procurement costs for organisations and the need for users to carry and maintain physical devices.

Phishing-Resistant MFA Options

Modern cybersecurity guidelines increasingly recommend phishing-resistant MFA methods that use cryptographic protocols like FIDO2 and WebAuthn. These technologies bind authentication to specific domains and eliminate shared secrets, making them immune to phishing attacks even on convincing fake websites. FIDO2 and WebAuthn represent the future of enterprise authentication, providing both enhanced security and improved user experience through passwordless authentication capabilities.

MFA was introduced when phishing and social engineering became a primary cyber-attack method. Phishing emails with malicious links, keyloggers, and requests for private credentials pose a serious threat to companies and individuals. Phishing attacks that result in credential theft cost companies millions in data breaches. An authentication process with no MFA for an individual means an attacker with stolen credentials can authenticate into their account.

Attackers use social engineering for a variety of reasons, but one of them is to convince users to divulge their account credentials. A simple convincing phone call could grant attackers access to high-privilege accounts, which could then lead to a large-scale data breach. In more advanced attacks, an attacker could use a combination of phishing and social engineering to steal credentials.

With MFA integrated into an authentication system, phishing and social engineering are mostly neutralised. An attacker could phish user credentials, but they would not have access to the secondary authentication method. They could social engineer a user into divulging account credentials, but again, attackers would not have access to the second authentication information.

Using secondary authentication methods is mostly effective, but attackers occasionally bypass MFA using social engineering. Attackers who target specific individuals will call them after stealing credentials to convince the targeted user to provide the MFA PIN. Social engineering would not work with biometrics, but most organisations use a PIN as the secondary authentication method. Until biometrics are more widely available, social engineering remains a significant issue with MFA systems that use PINs.

Credential stuffing attacks—cyber criminals automatically testing stolen username-password combinations across multiple sites—are effectively neutralised when MFA is properly implemented. The technology also stops keyloggers from providing complete access since attackers still lack the secondary authentication factors required for login. Business email compromise schemes become significantly more difficult when email systems require additional verification steps beyond stolen passwords.

Modern enterprise environments face heightened security risks through VPN access, cloud applications, and privileged account management. MFA provides essential protection for VPN connections, which have become primary targets as remote work expands organisational attack surfaces. Cloud services and applications benefit from MFA’s layered approach, ensuring that even compromised credentials cannot grant unauthorised access to sensitive business systems. Privileged accounts, which represent the highest organisational risk, require MFA implementation to prevent lateral movement and administrative compromise.

Regulatory frameworks across various industries now mandate or strongly recommend MFA implementation as a baseline security control. HIPAA requires healthcare organisations to implement strong access controls for electronic Protected Health Information, with MFA considered essential for compliance. The Payment Card Industry Data Security Standard (PCI DSS) explicitly requires MFA for users accessing cardholder data environments and all remote network access. NIST guidelines establish MFA as a foundational component of federal and enterprise security frameworks, emphasising its role in protecting controlled information.

Any website or internal system that stores and works with sensitive data should use MFA. Without MFA added to an authentication workflow, a system accessible to attackers could be vulnerable to brute-force password attacks and credential theft. It’s an added developer expense, so some systems that don’t store sensitive data skip having MFA.

Before a developer determines that MFA is not needed, compliance regulations should first be reviewed to ensure there are no regulatory violations. Some regulatory standards require MFA on critical systems that store sensitive data. Any system that stores financial data, personal identifiable information (PII), or healthcare data needs MFA to authenticate into the network. MFA might not be required internally, but administrators who authenticate remotely might need to use MFA to stay compliant.

Third-party integration options make it easier to include MFA in an authentication workflow. If the system is available to the public where an attacker could authenticate with stolen credentials, MFA should be included in the workflow. Other fraud detection systems can also be used to detect brute-force attacks or stolen credentials, but the first step is to use MFA to stop attackers.

While MFA provides significant security benefits, organizations must understand its limitations to implement effective authentication strategies. Even well-designed MFA systems can face vulnerabilities that require careful consideration and mitigation.

• User friction: MFA introduces additional steps that can disrupt workflow and reduce productivity. According to Jeremy Carpenter, VP at SecureAuth, “Research shows that excessive MFA requests can reduce productivity by up to 12%, and frustrated users may start looking for ways to bypass security measures altogether.” This friction becomes particularly frustrating when users are constantly prompted for authentication across multiple applications throughout their workday.
• Phishing of second factors: Sophisticated attackers now target MFA systems directly through real-time interception techniques. These adversary-in-the-middle attacks can capture both initial credentials and second-factor authentication codes as users enter them on malicious websites. Attackers create convincing fake login pages that harvest not only passwords but also the time-sensitive codes users receive via SMS or authenticator apps.
• SMS interception or SIM swapping: SMS-based MFA remains vulnerable to SIM swapping attacks, where criminals transfer a victim’s phone number to their own device. This technique allows attackers to intercept verification codes sent via text message, effectively bypassing the second authentication factor. The attack often succeeds because mobile carriers rely on easily compromised personal information for identity verification during SIM transfers.
• MFA fatigue attacks: Attackers exploit push notification systems by bombarding users with repeated authentication requests until they approve access out of frustration or confusion. These “MFA bombing” attacks have proven successful in high-profile breaches, including the 2022 Uber incident, where persistent notifications eventually led to user approval. The simplicity of approving notifications with a single tap makes users vulnerable to this social engineering tactic.
• Device dependency and single points of failure: MFA systems create dependencies on specific devices or applications that can become unavailable when needed most. Users locked out due to lost phones, dead batteries, or app malfunctions face productivity disruptions and often require IT support for account recovery. This dependency can also create security gaps when organisations lack proper backup authentication methods.
• Implementation costs and complexity: Deploying MFA across enterprise environments requires significant investment in hardware, software licenses, and user training. The complexity of managing multiple authentication methods across diverse systems can strain IT resources and create inconsistencies in security policies. Smaller organisations may struggle with these costs while larger enterprises face challenges in standardising MFA implementations across global operations.

The effectiveness of MFA depends heavily on selecting appropriate authentication methods and providing comprehensive user education. Organisations should prioritise phishing-resistant technologies like FIDO2 and WebAuthn over vulnerable SMS-based systems. Success requires not just enabling any MFA solution, but implementing strong methods combined with ongoing security awareness training that helps users recognise and respond appropriately to social engineering attacks.

Successful MFA implementation requires more than just enabling additional authentication factors. Organisations must balance robust security measures with user-friendly experiences to ensure widespread adoption and long-term effectiveness.

• Use phishing-resistant methods like hardware tokens or app-based MFA instead of SMS codes. These methods provide cryptographic protection against sophisticated phishing attacks and real-time man-in-the-middle schemes that can bypass SMS verification.
• Enable MFA on all critical accounts, especially email, admin portals, and cloud services. Prioritise privileged accounts and systems that could enable lateral movement within your network if compromised.
• Avoid using the same device for authentication and access. Users should not authenticate MFA requests using the same mobile browser or device they use to log in to applications.
• Educate users on how MFA works and how to recognise fraud attempts. Training should cover recognising MFA fatigue attacks, understanding when to approve or deny authentication requests, and reporting suspicious activity.
• Regularly audit and update MFA configurations to remove inactive users and review access levels. Organisations should assess which MFA methods are enabled, monitor authentication logs for suspicious patterns, and ensure backup authentication methods are properly configured.

Even the strongest authentication methods can fail if users aren’t trained to use them securely.

Single Sign-On (SSO) is a system that allows users to access multiple applications or services with one set of login credentials. Instead of remembering separate usernames and passwords for email, cloud storage, project management tools, and other business applications, users authenticate once and gain access to all authorised systems. SSO focuses on convenience and centralised access management, streamlining the user experience across an organisation’s technology ecosystem.

SSO addresses convenience and user experience, while MFA focuses on adding layers of security to the authentication process. SSO eliminates the need for users to manage multiple passwords, reducing password fatigue and the likelihood of weak credential practices. MFA ensures that authentication remains secure even when primary credentials are compromised by requiring additional verification factors.

SSO and MFA represent complementary—not competing—technologies that work best when implemented together. SSO reduces password fatigue and improves user productivity by eliminating repetitive login processes across multiple applications. When SSO credentials are stolen through phishing or other attacks, MFA provides the crucial second barrier that prevents unauthorised access since attackers still lack the additional authentication factors required for system entry. At the end of the day, the most secure identity environments use SSO and MFA together.

In an era where cyber criminals target credentials as the primary attack vector, multifactor authentication represents the baseline security control that every organisation must implement. MFA stands as one of the simplest yet most effective tools for identity protection. The question is no longer whether to deploy MFA, but rather how quickly organisations can extend it across their entire digital infrastructure.

However, MFA alone cannot solve all identity security challenges. The most resilient organisations adopt a layered security approach that combines MFA with comprehensive user education and continuous visibility into authentication patterns. This three-pillar strategy ensures that technical controls work alongside human awareness and threat detection capabilities to create a robust defence against evolving credential-based attacks.

Proofpoint’s human-centric security solutions provide comprehensive protection against credential-based attacks by combining advanced threat detection with user and entity behaviour analytics, as well as security awareness training. Our integrated approach recognises that people are both the target and the strongest line of defence, delivering layered protection that adapts to how your workforce actually operates. With Proofpoint, organisations can implement effective MFA strategies while building a security-conscious culture that reduces risk from the inside out. Contact Proofpoint to learn more.