Multi-Factor Authentication (MFA)
MFA is an authentication method that requires users to provide multiple forms of verification — typically something they know (password), something they have (phone), or something they are (biometric) — before granting access. It is the primary defense against credential compromise.
# WHAT TEAMS RUN INTO
- —
MFA deployments aren't universal. Privileged accounts skip MFA because 'it slows down emergencies.' Contractors and service accounts bypass MFA because they're 'not interactive users.' Coverage gaps become breach doors.
- —
MFA doesn't verify the device it's running on. A phone gets stolen with MFA installed. The attacker uses the stolen phone's biometric or cached approval to access accounts.
- —
MFA gets fatigue-tested in real attacks. An attacker compromises credentials and sends MFA prompts repeatedly until the user approves one by accident or to stop the notifications.
# WHY IT MATTERS
MFA is the most cost-effective security control available. It stops most account takeovers because compromising a password alone is no longer sufficient. But incomplete MFA deployment creates a false sense of security — organizations believe they are protected because MFA is in use, without realizing that coverage gaps and weak factors still leave attack surfaces open. Every access decision is an identity decision, and MFA is the checkpoint that forces verification of identity claims.