The Monthly Cyber Resilience Series: MFA Done Right: Practical Setup and Common Pitfalls

If passwords are the weakest link, Multi-Factor Authentication (MFA) is the simplest and most effective reinforcement.

MFA means proving your identity using at least two different factors:

• Something you know (password)

• Something you have (phone, hardware key)

• Something you are (biometrics)

Even if a password is stolen through phishing or a data breach, MFA can stop the attacker from accessing the account.

However, not all MFA is equal.

Many organisations introduce MFA and assume the problem is solved. In reality, poorly implemented MFA can still be bypassed - especially when:

• SMS codes are intercepted

• Users approve push notifications without checking

• Attackers trick users into real-time login approval

• Backup codes are stored insecurely

MFA is powerful - but only when implemented thoughtfully.

The objective is not just to “turn it on”, but to deploy it in a way that meaningfully reduces risk.

Practical Implementation & Common Mistakes

1. Choose the Right MFA Method

Not all methods offer the same protection:

Stronger options:

• Hardware security keys (FIDO2/WebAuthn)

• Passkeys

• Authenticator apps with number matching

Weaker options (still better than nothing):

• SMS codes

• Email verification codes

Where possible, avoid SMS as the primary factor due to SIM-swap risks.

2. Protect Against MFA Fatigue

“MFA fatigue” attacks rely on sending repeated login approval prompts until the user clicks “Approve” just to stop notifications.

Mitigation:

• Enable number matching

• Limit repeated push attempts

• Alert security teams to unusual login patterns

Users must be trained: never approve a login they did not initiate.

3. Secure Recovery Processes

Account recovery is often the weakest link.

Ensure:

• Backup codes are stored securely

• Recovery emails are protected with MFA

• Helpdesk verification processes are strict

Attackers frequently target password reset mechanisms rather than the login process itself.

4. Apply MFA Everywhere It Matters

Prioritise:

• Email accounts

• Administrator accounts

• Remote access systems

• Cloud and SaaS platforms

• Financial systems

Email is especially critical - compromise there often enables takeover of other accounts.

5. Monitor and Measure

Implementation should include monitoring:

• Failed login attempts

• MFA bypass attempts

• Suspicious geographic logins

• High-risk authentication events

Security is not deployment - it is continuous management.

6. The Strategic Shift

Effective MFA implementation moves organisations from:

to

MFA significantly reduces the risk of account compromise - but only when paired with:

• Strong identity governance

• Least privilege access

• User awareness

In identity security, layering matters.

Next month, we will focus on endpoint hygiene - because even strong authentication cannot protect a compromised device.