MFA best practices: The key to a robust cybersecurity program

Multifactor authentication (MFA) has emerged as a crucial defense mechanism against unauthorized access and data breaches.

But as cybersecurity defenses evolve, so do cyberattacks. According to the CISCO Talos Incident Response Quarterly Trends report, MFA was involved in nearly half of the security incidents their team responded to in the first quarter of 2024. 

If you want to safeguard your data against the latest cyberthreats, it’s essential to evaluate how you’re implementing MFA best practices across your organization.

What is MFA?

MFA is a security system that requires users to provide two or more verification factors to gain access to a device or resource, such as an application, online account or VPN. It requires users to verify their identity with more than just a username and password, helping your organization protect against attacks involving stolen credentials.

This approach typically combines at least two elements from three categories: something you know (like a password), something you have (such as a security token) or something you are (biometric verification). Common MFA factors include:

• One-time passwords
• Access badges
• Fingerprints
• Facial recognition

How cybercriminals bypass MFA

Cybercriminals have developed sophisticated techniques to circumvent MFA. Some different bypass methods include:

• Web traffic interception: Cybercriminals use fake websites or proxy servers to trick users into revealing their credentials and MFA codes.
• Sim swapping: SIM swapping allows attackers to bypass MFA by hacking phone carriers and assigning SIMs to their own devices. As a result, MFA codes are sent to the attacker’s phone instead of the legitimate user’s phone.
• Social engineering: Cybercriminals may impersonate IT professionals or use similar approaches to obtain authentic tokens from staff.
• MFA bombing: When a criminal breaches a user’s password and tries to log in, the MFA system sends push notifications to the victim for approval. Attackers often send these repeatedly to wear down the victim, who may approve the request just to stop the notifications.

MFA best practices

As cybercriminals continue to try to find new ways to bypass MFA, evaluating your organization’s MFA implementation becomes critical to protecting your digital assets.

When properly configured, MFA plays a crucial role in mitigating cyberthreats. It can significantly reduce your threat risk by adding extra layers of security beyond passwords and helping neutralize the impact of stolen credentials. And it can help you protect against a variety of attacks, including phishing, spear phishing, whaling, keylogging, credential stuffing and brute force attacks.

To effectively implement or enhance MFA at your organization, here are three best practices to follow:

1. Implement MFA everywhere

CISCO Talos reported that in “21% of engagements, the underlying cause for the incident was a lack of proper implementation of MFA.”

Even if your organization is currently using MFA, it’s important to evaluate whether you’re using it effectively. Start by thoroughly assessing your current infrastructure and prioritizing critical systems. You also need to evaluate if there are any vulnerabilities in processes where you do allow single-factor authentication.

You should also consider extending MFA beyond key systems and implementing it across your organization. Any external login portal should have MFA enabled, if possible. You should also identify platforms that allow remote access to data and resources, including:

• Remote desktop platforms
• Cloud solutions
• Bank accounts
• Collaboration software
• Email
• VPN

2. Prepare for MFA bypass

The CISCO Talos report also highlighted that the most common MFA bypass attempts they saw involved MFA push attacks, also known as MFA bombing.

To protect against MFA bombing or SIM swapping, your organization can disable push notification options and use authenticator apps instead.

Authenticator apps generate time-based, one-time passwords directly on a device, creating an additional barrier between accounts and potential attackers. They help eliminate the vulnerabilities associated with SMS delivery so that even if a phone number is compromised, MFA codes are still protected.

Authenticator apps also help streamline the MFA process for staff by allowing them to secure all their accounts on a single app. And unlike SMS-based authentication, authenticator apps work even without an internet connection, making them harder to compromise.

3. Provide targeted staff training

Your organization can reduce the risk of unauthorized access by educating staff on the importance of MFA and how to use it effectively. Training helps staff identify phishing attempts and other social engineering tactics that attackers use to bypass MFA.

You also need to establish a clear reporting process so that staff are equipped to help your team identify and address threats faster.

By empowering staff with MFA knowledge, your organization isn’t just improving security — it’s cultivating a cyber-aware culture that reaches every aspect of your operations.

How Wipfli can help

Wipfli’s cybersecurity team brings experienced, industry-specific guidance to address your cybersecurity challenges. From helping you evaluate your MFA implementation to testing and strategy, our team can help you create a more robust cybersecurity program.

Visit our Cybersecurity Awareness Month page to see more of our cybersecurity resources and explore our services.