Skip to content
cyber-security.eu
DEEN

Multi-factor authentication

MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.

Who this page is for

IT and security leaders, administrators, auditors and anyone introducing or improving MFA in their organisation.

What is MFA?

Multi-factor authentication requires multiple independent proofs when signing in, typically from the categories knowledge, possession and inherence. Knowing only the password is not enough.

Why passwords alone are not enough

Passwords get compromised through phishing, data leaks, reuse and malware. Without a second factor a stolen password is immediate account takeover.

Methods at a glance

Push MFA through an authenticator app is convenient but exposed to push bombing.

TOTP one-time codes are solid and vendor independent.

FIDO2 and security keys bind the second factor to hardware and are particularly phishing resistant.

Passkeys combine key material with devices and are a modern evolution, useful where supported.

SMS codes are better than nothing but not robust against SIM swap or phishing.

Risks: MFA fatigue and push bombing

Attackers with a valid password trigger repeated push prompts until the user approves out of exhaustion. Countermeasures include number matching, device trust, conditional access and awareness. Phishing-resistant methods such as FIDO2 are far better here.

Rollout priority

A sensible order: admin accounts first, then mail and cloud, then VPN and external access, then critical systems, then the broader workforce. Service accounts need their own protection model.

Scenario

A company enforces MFA on all admins and the entire Microsoft 365 tenant first. Three weeks later an employee password is phished. The sign-in fails because the second factor is missing. The incident ends as an account compromise attempt with no damage.

Checklist

  • MFA mandatory for admin and privileged accounts
  • MFA on mail, cloud and VPN access
  • Phishing-resistant methods where possible (FIDO2, passkeys)
  • Number matching instead of plain push approval
  • Documented recovery and break-glass paths
  • Service accounts with dedicated protection
  • Training on MFA fatigue and push bombing

Frequently asked questions

+Are SMS codes good enough?

Better than nothing but not phishing resistant and exposed to SIM swap. Prefer app-based or FIDO2 methods where available.

+What are passkeys?

Passkeys use device-bound key pairs and replace password plus second factor. They are convenient and phishing resistant when the service supports them.

+Does MFA help against token theft?

Only partly. If session tokens are stolen after a successful sign-in, MFA no longer applies. Conditional access and shorter sessions reduce the risk.

Related topics

Identity security

Identities are a primary target today. Clean handling of accounts, roles and permissions reduces the risk of many incidents significantly.

Account compromise

A compromised account is one of the most common incident types today. This page outlines causes, early signs and reasonable first actions.

Microsoft 365 security

Microsoft 365 is the central workspace and identity ecosystem for many organisations. This page outlines the key security building blocks without admin step-by-step instructions.

Zero trust

Zero trust is an architectural principle, not a product. It means: trust nothing automatically, verify every access based on identity, device and context.

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Business email compromise

Business email compromise targets money or data flows through manipulated business mail - often via compromised mailboxes or convincing correspondence. This page outlines scenarios and controls.