Identity & Access

What is Multi-Factor Authentication (MFA)?

7 minute read
Beginner
Share Article
LinkedIn
X (Twitter)
Facebook

MFA requires more than a password to authenticate. Learn how it works, why passwords alone fail, and what boards and PE firms should require across portfolio companies.

How MFA Works: The Three Authentication Factors

Authentication factors are divided into three categories. Something you know: passwords, PINs, security questions. Something you have: a smartphone running an authenticator app, a hardware security key, a one-time password sent via SMS. Something you are: biometric characteristics — fingerprint, facial geometry, iris patterns.

MFA requires at least two factors from different categories. A password plus a fingerprint is MFA. A password plus a PIN is not — both are knowledge factors, and compromising the knowledge source (a breach database, shoulder surfing) compromises both simultaneously. The security value of MFA comes from requiring factors that cannot be simultaneously compromised through a single attack vector.

MFA Methods Ranked by Security

Not all MFA is equal. The security value of different MFA methods varies significantly, and understanding the difference matters for risk decisions.

SMS one-time passwords are the weakest MFA method still in widespread use. An attacker who executes a SIM swap — convincing a mobile carrier to transfer a victim's phone number to an attacker-controlled SIM — intercepts SMS codes. Scattered Spider, the threat group responsible for the MGM and Caesars breaches, used SIM swapping as a standard technique. SMS OTP is significantly better than no MFA, but should not be used to protect high-value accounts.

Authenticator app one-time passwords (TOTP) — generated by apps like Microsoft Authenticator, Google Authenticator, or Authy — are more resistant than SMS because they cannot be SIM-swapped. However, they remain vulnerable to real-time phishing: an attacker who creates a convincing login page can prompt the victim for both their password and their OTP simultaneously, capturing both before the OTP expires. This attack, known as AiTM (Adversary-in-the-Middle) phishing, has been used at scale in documented campaigns.

Push notifications with number matching — where the authenticator app displays a number that must match what the login screen shows — significantly reduce MFA fatigue attacks, where attackers flood a user with push notifications until one is accidentally approved.

Phishing-resistant MFA — specifically FIDO2 hardware security keys (YubiKey, Titan Key) and passkeys — is the gold standard. These methods use cryptographic binding to the specific origin requesting authentication, making it technically impossible to intercept or replay them through a phishing site. CISA has explicitly recommended phishing-resistant MFA for all privileged accounts.

Where MFA Must Be Deployed

MFA is only effective where it is enforced. A common audit finding at mid-market companies is MFA deployed on some applications but not others — creating gaps that attackers specifically target. The most important deployment surfaces are remote access (VPN, RDP, Citrix), cloud application access (Microsoft 365, Salesforce, Google Workspace), privileged accounts and administrative access, financial systems and accounts payable portals, and identity provider logins. A company with MFA on Microsoft 365 but without MFA on its VPN and accounting software has a false sense of MFA coverage.

Legacy authentication protocols — IMAP, POP3, SMTP AUTH, older Exchange protocols — bypass modern MFA entirely and must be blocked. This is a frequent finding in Microsoft 365 environments where MFA is deployed on the web interface but legacy protocols remain enabled, giving attackers a path around MFA through protocol downgrade.

MFA Fatigue: The Attack That Defeats Push Notifications

MFA fatigue attacks target push notification MFA by generating repeated authentication requests — sometimes dozens per minute — in hopes that the victim approves one to make the notifications stop. Uber was compromised in 2022 in part through an MFA fatigue attack: Scattered Spider sent repeated MFA push notifications to an Uber contractor, then contacted the contractor via WhatsApp claiming to be IT support and instructing them to approve the notification. The contractor complied.

The defense is number matching (requiring the user to match a number shown on the login screen, not just press Approve) and additional context (showing the login location and application in the push notification). Microsoft and other providers have implemented these controls — but they must be configured. Default settings often do not enforce them.

What Boards Should Require

Boards should require documentation of MFA coverage across all remote access, cloud applications, and privileged accounts — not just a yes/no answer to 'is MFA deployed?' The meaningful questions are: What percentage of accounts have MFA enforced? Are legacy authentication protocols blocked? What MFA methods are being used for privileged accounts? Has phishing-resistant MFA been deployed for the highest-risk access points?

For PE due diligence, MFA coverage is a binary risk flag. A portfolio company without universal MFA on remote access is structurally exposed to the credential-based attacks that account for the majority of breach initial access. This is a finding that requires a specific remediation timeline, not a recommendation to 'consider' improving authentication controls.

MFA and Regulatory Requirements

MFA has become a regulatory baseline across multiple frameworks. PCI DSS 4.0 requires MFA for all non-console access to the cardholder data environment and for all remote access. HIPAA guidance increasingly treats MFA as a required implementation for covered entities. NIST SP 800-63B provides the authoritative guidance on authentication assurance levels. State privacy laws in California, New York, and other states create implicit MFA requirements through breach notification consequences. Cyber insurance underwriters now routinely require documented MFA coverage as a condition of coverage, with some insurers excluding claims arising from breaches where MFA was not deployed on affected systems.

Related Reading

MGM and Caesars: What Happens When MFA Is Bypassed

In 2023, Scattered Spider compromised both MGM Resorts and Caesars Entertainment using techniques that bypassed their MFA implementations. The MGM breach combined vishing (a social engineering call to the help desk) with an MFA reset to establish authenticated access — the MFA protection was negated by the help desk's verification failure. Caesars paid a $15M ransom to avoid the same outcome. The combined financial impact across both organizations exceeded $100M. The lesson is not that MFA failed — it is that MFA was not backed by help desk verification procedures robust enough to prevent social engineering resets, and the MFA methods in use were not phishing-resistant enough to prevent the specific bypass techniques used. Strong MFA implementation requires both the technical control and the operational procedures that protect it.

99.9%

of account compromise attacks are blocked by multi-factor authentication, according to Microsoft's analysis of its authentication data. The gap between password-only and MFA-protected accounts is not marginal — it is effectively total.

How Cloudskope Can Help

Cloudskope's MFA Coverage Assessment evaluates the completeness and strength of MFA across your environment — identifying gaps in coverage, legacy protocol exposure, and MFA method weaknesses. For PE due diligence, we provide a rapid MFA posture snapshot that identifies credential-based attack exposure before close.