MFA has lengthy been one of the efficient safety controls a company can deploy. It is cheap in comparison with many safety applied sciences, comparatively straightforward to implement and able to stopping a big share of credential-based assaults.
It isn’t a coincidence that just about each safety framework and cyber insurance coverage coverage recommends or requires MFA. Even so, merely checking the MFA-enabled field doesn’t suggest a company is sufficiently shielded from assault. In lots of breaches, the victimized group had MFA in place, and the flaw normally wasn’t within the know-how itself.
The difficulty typically outcomes from how MFA was deployed, configured or managed over time. Like several safety management, MFA is simply as efficient as its implementation.
Let’s take a look at some widespread methods MFA can go improper.
Mistake #1: Assuming MFA gives full protection
Downside: One of many largest errors organizations make is believing MFA is universally enforced. In actuality, it is common to seek out exceptions which have accrued over time. Service accounts, legacy functions, VPN home equipment, privileged administrator accounts, emergency entry accounts and older authentication protocols are sometimes excluded as a result of they have been troublesome emigrate or have been quickly exempted throughout deployment. It is also not unusual for some high-level executives or different key stakeholders to be granted exemptions as a result of they discover MFA a nuisance.
Attackers do not care whether or not 98% of a goal’s customers have MFA — they’re going to discover that 2%.
Answer: Periodically overview authentication insurance policies and establish accounts, functions or protocols that bypass MFA necessities, and, at minimal, allow extra rigorous monitoring on these accounts.
Mistake #2: Counting on weak authentication elements
Downside: Not all MFA strategies present the identical degree of safety. SMS-based one-time codes stay widespread, however they’re more and more susceptible to SIM swapping, phishing and social engineering schemes. E-mail-based verification introduces most of the identical weaknesses if the e-mail account itself turns into compromised.
Answer: Prioritize phishing-resistant strategies every time attainable, comparable to FIDO2 safety keys, passkeys, Home windows Hiya for Enterprise or platform authenticators constructed into endpoint units. These are rather more troublesome for attackers to outmaneuver.
Mistake #3: Giving in to MFA fatigue
Downside: Push notifications made MFA simpler for customers, however additionally they created a possibility for attackers. In an MFA fatigue assault, malicious hackers bombard customers with repeated approval requests, assuming that somebody will ultimately faucet “Approve” merely to make the notifications cease. Mixed with convincing social engineering, this system efficiently bypassed MFA in a number of high-profile breaches lately.
Answer: Many fashionable authentication platforms have applied quantity matching, location consciousness and extra verification steps. These options can considerably cut back unintended approvals. Allow them wherever attainable.
Mistake #4: Neglecting session safety
Downside: Many organizations focus closely on the login course of however pay far much less consideration to what occurs afterward. If an attacker steals an authenticated browser session or entry token, they may not have to authenticate once more in any respect. As a substitute of passwords, nefarious actors more and more goal session cookies, OAuth tokens and browser credentials.
Answer: Most safety groups now acknowledge that id safety wants to increase past preliminary MFA entry. Conditional-access insurance policies, machine belief, session expiration, continuous-access analysis and token safety all assist cut back the chance of session hijacking.
Mistake #5: Forgetting about privileged accounts
Downside: It is understood that admin accounts deserve stronger safety than customary customers, although safety groups do not all the time put this into observe. If attackers compromise some sorts of privileged accounts, they could be capable to disable MFA controls for chosen targets or everybody in a company.
Answer: International directors for SaaS platforms, cloud infrastructure directors, area directors and privileged assist desk accounts want the strongest out there authentication strategies. {Hardware} safety keys, phishing-resistant MFA, devoted administrative workstations and privileged entry administration (PAM) instruments considerably cut back danger.
Mistake #6: Treating MFA as a one-time mission
Downside: Organizations typically make investments closely in an MFA rollout after which transfer on to the subsequent initiative. Sadly, environments do not stand nonetheless. New SaaS functions are launched, enterprise acquisitions happen, legacy techniques stay in manufacturing, builders create service accounts and so forth. It isn’t unusual for exceptions to build up.
Answer: Conduct periodic critiques that ask:
- Which customers are nonetheless exempt from MFA?
- Which functions do not help fashionable authentication?
- Are stronger authentication strategies out there?
- Have dangerous authentication patterns modified?
- Are conditional entry insurance policies nonetheless aligned with enterprise necessities?
Deal with MFA as an operational safety program reasonably than a accomplished mission.
Mistake #7: Making ready for AI-assisted social engineering
Downside: Attackers are getting higher at persuading customers to approve authentication requests, typically aided by AI. AI-generated phishing emails, lifelike voice cloning and different deepfakes, in addition to extremely customized social engineering, make it simpler to trick customers into approving MFA prompts or sharing authentication codes.
Answer: These issues make person training much more necessary. Workers ought to perceive that safety groups, assist desks or distributors ought to by no means ask them to approve an sudden MFA request or present a verification code over the telephone. To strengthen this, regularly replace consciousness coaching.
MFA is a basis, not a end line
Regardless of these challenges, MFA stays one of the efficient safety controls out there. Organizations ought to view MFA as one part of a broader id safety technique that features phishing-resistant authentication, conditional entry, PAM, session safety, steady monitoring and common coverage critiques.
When applied thoughtfully and maintained over time, MFA stops numerous assaults each day. The organizations that get probably the most worth from MFA are those that acknowledge it isn’t a “ultimate state” for authentication. As a substitute, it is one of many core foundations of a stronger id safety program.
Dave Shackleford is founder and principal guide at Voodoo Safety, in addition to a SANS analyst, teacher and course creator, and GIAC technical director.









