Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) adds layers of security beyond passwords by requiring users to verify their identity through multiple independent factors. Even if one factor is compromised, attackers cannot gain access without the others.

Authentication factors:

• Something you know: Password, PIN, security questions
• Something you have: Phone, hardware token, smart card
• Something you are: Fingerprint, facial recognition, iris scan

MFA methods:

• SMS codes: One-time codes sent via text message (least secure MFA)
• Authenticator apps: Time-based codes from Google Authenticator, Microsoft Authenticator, Authy
• Push notifications: Approve/deny prompts on a trusted device
• Hardware tokens: Physical devices like YubiKey (FIDO2/U2F)
• Biometrics: Fingerprint, facial recognition, voice recognition
• Email codes: One-time codes sent via email

MFA security hierarchy (least to most secure):

1. SMS codes (vulnerable to SIM swapping, but better than no MFA)
2. Email codes (better than SMS)
3. Authenticator apps (TOTP - good security)
4. Push notifications (good security, good UX)
5. Hardware tokens/FIDO2 (highest security, phishing-resistant)

Where to implement MFA:

• All cloud and SaaS application logins
• Email accounts (primary attack vector)
• VPN and remote access
• Administrative and privileged accounts (mandatory)
• Financial systems and payment processing
• Customer-facing portals with sensitive data

MFA adoption best practices:

• Start with admin and privileged accounts
• Roll out to all employees with clear communication and training
• Provide backup methods (backup codes, multiple devices)
• Use conditional access policies (require MFA for risky logins)
• Consider passwordless authentication as the end goal
• Do not rely on SMS-only MFA for high-value accounts