Skip to Content

How MFA Actually Works

Two-factor authentication security

Photo by REINER SCT on Pexels

Multi-factor authentication (MFA) is the single most effective security control you can implement. Microsoft's research shows that MFA blocks over 99.9% of automated account compromise attacks. But not all MFA is created equal—understanding how it works helps you choose the right type and avoid common pitfalls.

The Three Factors of Authentication

Authentication uses three types of factors:

  • Something you know: A password, PIN, or security question
  • Something you have: A phone, hardware key, or smart card
  • Something you are: A fingerprint, face scan, or iris scan (biometrics)

MFA requires at least two different factors. A password plus a code sent to your phone is MFA (something you know + something you have). A password plus a fingerprint is also MFA. Two passwords are NOT MFA—that's just two of the same factor.

How the MFA Flow Works

When you log in with MFA enabled, the process is:

  1. You enter your username and password (factor 1: something you know)
  2. The service sends a challenge to your second factor (e.g., a push notification to your phone)
  3. You approve the notification or enter a one-time code (factor 2: something you have)
  4. The service verifies both factors and grants access

The key insight is that an attacker who steals your password still can't log in without your second factor. Even if a phishing attack captures your password, the attacker would also need to steal your phone or hardware key.

Types of MFA (Strongest to Weakest)

1. Hardware Security Keys (FIDO2/WebAuthn) — Strongest: Physical USB or NFC keys (like YubiKey or Google Titan) that you tap or insert during login. The key cryptographically proves your identity to the website. Phishing-resistant because the key checks the website's domain—it won't work on fake login pages. Cost: $25-50 per key per user. Best for high-value accounts (admin accounts, financial systems).

2. Authenticator Apps (TOTP) — Strong: Apps like Microsoft Authenticator, Google Authenticator, or Authy generate a 6-digit code that changes every 30 seconds. The code is generated from a shared secret and the current time—no internet connection needed. Free and widely supported. Slightly vulnerable to phishing if users manually enter codes on fake sites.

3. Push Notification MFA — Strong: The service sends a push notification to your phone ("Was this you?"). You tap "Approve" to log in. Convenient and secure, but vulnerable to "MFA fatigue" attacks where attackers send repeated prompts hoping the user approves out of annoyance. Train users to only approve prompts they initiated.

4. SMS/Email Codes — Weakest (Still Better Than Nothing): A code is sent via text or email. Vulnerable to SIM swapping (attacker transfers your phone number to their SIM) and email account compromise. Many insurance policies now require app-based or hardware MFA, not SMS. Use this only as a fallback.

Why MFA Stops Most Attacks

Consider the credential stuffing attack from Section 1: an attacker has your password from a breached site and tries it against your email. Without MFA, they get in immediately. With MFA, they hit a second prompt they can't answer. Even with phishing, modern FIDO2 keys detect the fake domain and refuse to authenticate. MFA turns a single point of failure (password) into a multi-point defense that attackers must bypass simultaneously.

Key Takeaways

  • MFA blocks 99.9% of automated account compromise attacks
  • Hardware security keys (FIDO2) are the strongest MFA—phishing-resistant
  • Authenticator apps are free, strong, and widely supported—good default choice
  • SMS MFA is weakest—vulnerable to SIM swapping, avoid for high-value accounts
  • Train users to only approve MFA prompts they initiated (prevents MFA fatigue attacks)

Choosing and Deploying a Password Manager

A password manager is the foundation of modern access control. Without one, employees will reuse passwords, write them on sticky notes, or store them in insecure files. The choice of password manager should consider: security architecture (zero-knowledge encryption is essential — the vendor should never see your passwords), ease of use (if it's hard, employees won't use it), cross-platform support (Windows, Mac, Linux, iOS, Android, browser extensions), sharing capabilities (secure password sharing for team accounts), and audit capabilities (reports on weak, reused, or compromised passwords).

Bitwarden is the top free recommendation for small to mid-sized businesses. It's open-source, uses zero-knowledge encryption, supports all platforms, and offers free teams plans for up to 2 users. The paid version ($3/user/month) adds directory sync, detailed audit logs, and custom roles. For organizations needing on-premise hosting, Vaultwarden (a lightweight Bitwarden server) can be self-hosted on any server with Docker. For enterprise environments, 1Password Business ($7.99/user/month) offers advanced features like travel mode (temporarily removes sensitive data from devices), guest access, and custom vault sharing.

Deployment requires planning. Start with a pilot group of 5-10 users across different departments. Import existing passwords from browsers and spreadsheets. Configure browser extensions for auto-fill. Set up shared vaults for team passwords (e.g., social media accounts, vendor portals, database credentials). After the pilot, roll out to all employees with mandatory training sessions. Measure adoption rates — your goal should be 90%+ of employees actively using the password manager within 60 days. Provide ongoing support and periodically review shared vaults to remove stale or unused credentials.

Common Questions

Q: What if an employee leaves the company?

Password managers make offboarding much easier. With a business password manager, you can instantly revoke the employee's access to all shared vaults. For individually stored passwords, the employee's personal vault is typically removed. However, you should also have a process for recovering passwords that were only stored in the employee's personal vault — encourage employees to store all business-related passwords in shared or team vaults, not personal ones. Document this requirement in your acceptable use policy.

How MFA Actually Works

Multi-factor authentication (MFA) is the single most effective security control you can implement. Microsoft's research shows that MFA blocks over 99.9% of automate

Rating
0 0

There are no comments for now.

to be the first to leave a comment.