- MFA blocks over 99% of automated credential attacks, according to Microsoft's analysis of identity telemetry
- Hardware keys (FIDO2/YubiKey) provide the highest security; SMS is the weakest MFA method and vulnerable to SIM-swapping
- Start with email and remote access, then move to finance systems and everything else
- SMS-only MFA, gaps in user coverage, and legacy authentication bypass are the three most common deployment failures
- ISO 27001 Annex A.8.5 and Cyber Essentials both require MFA on cloud services and remote access as a minimum
Why passwords alone keep failing
A password is a single secret. The moment that secret leaves your control, your account is open. Passwords leave your control through channels you have no visibility into.
Credential stuffing is the most common attack vector against business accounts. Attackers buy databases of email and password combinations leaked from breached websites, then run automated tools that test those credentials against Microsoft 365, Google Workspace, VPN gateways, and banking portals. The attack works because people reuse passwords. A credential leaked from a retail breach five years ago still opens accounts today, because the password never changed. HaveIBeenPwned currently indexes over 13 billion breached accounts.
Phishing hands credentials directly to attackers. A convincing login page for Microsoft 365 or your company's VPN portal takes under an hour to build and distribute. The user types their username and password into what looks like a legitimate form. Attackers capture the credentials in real time. No technical vulnerability required.
Password spraying takes the opposite approach to stuffing. Instead of trying many passwords against one account, attackers try one or two common passwords against thousands of accounts. Common choices like Summer2024! or Welcome1 succeed at scale because password policies that require a capital letter and a number produce predictable patterns, and lockout thresholds stop blocking after a slow spray.
All three attacks fail against an account with MFA. A stolen password without the second factor does nothing for automated attacks. Microsoft's identity telemetry puts the block rate at 99.9%.
What MFA is and how it works
Multi-factor authentication requires a user to present two or more verification factors from distinct categories before gaining access. The three categories are:
- Something you know: a password, PIN, or security question answer
- Something you have: a physical device such as a phone running an authenticator app, a hardware security key, or a smart card
- Something you are: a biometric factor such as a fingerprint or face scan
Two-factor authentication (2FA) uses exactly two of these. MFA is the broader term covering two or more. In practice most people use the terms interchangeably, and most deployments combine a password with a device-based second factor.
An attacker who steals your password does not have your phone. An attacker who finds your phone does not know your password. Compromising both, against a specific target, at the moment of a login attempt, is orders of magnitude harder than stealing a password from a breached database and running it through an automated tool.
MFA types ranked by security
MFA methods vary widely in security. The table ranks them from strongest to weakest, by resistance to phishing and real-time interception.
FIDO2 hardware keys defeat phishing because the cryptographic signature they produce is mathematically tied to the legitimate website's URL. A phishing site on a different domain cannot produce a valid authentication response, even if the user types their password into it. TOTP codes are phishable in real time: a man-in-the-middle proxy can capture the password and the TOTP code and replay them before the 30-second window closes.
Push notification MFA has a specific weakness called MFA fatigue. Attackers who have a valid password send repeated push requests at 2am until a tired or confused user taps "Approve" to make the notifications stop. Microsoft Authenticator now supports number matching, which requires the user to enter a two-digit number displayed at login into the push notification screen, preventing accidental approvals. Enable number matching in your Entra ID Conditional Access policies.
SIM-swapping attacks against business accounts increased between 2023 and 2025. An attacker calls your mobile carrier, claims to be you, and transfers your number to a SIM they control. All SMS codes then route to them. The carrier verification process is not robust. Move business-critical accounts to TOTP or hardware keys and disable SMS as a fallback option for those accounts.
Where to start: a deployment sequence
The goal is 100% MFA coverage across all users and all systems. Start where a compromise causes the most damage.
1. Email first
Business email is the master key to almost everything else. Password resets for every other account go to email. Sensitive business data flows through email. Attackers who compromise a Microsoft 365 or Google Workspace account can read mail, redirect payment instructions, and access every connected application. Enable MFA on email before anything else, for every user without exception.
In Microsoft 365, the fastest path is Security Defaults in the Entra ID portal. Security Defaults enforces MFA for all users, blocks legacy authentication protocols, and requires MFA for all admin actions. It is a single toggle. For organisations that need more granular control, Conditional Access policies let you define which users, applications, locations, and device states trigger an MFA challenge.
2. VPN and remote access
VPN gateways and remote desktop services are the other primary entry point for attackers. A compromised VPN credential puts an attacker inside your network perimeter with the same access as a legitimate employee. All remote access solutions, whether that is Cisco AnyConnect, Fortinet FortiClient, Palo Alto GlobalProtect, or Windows Remote Desktop Gateway, support RADIUS-based MFA or direct integration with identity providers like Entra ID. Configure it before expanding remote access further.
3. Finance and payment systems
Online banking, payment platforms, and accounting software such as Exact, Twinfield, or Xero contain the data attackers target in business email compromise attacks. Many of these platforms support TOTP or app-based MFA in their security settings. Enable it for every user who can initiate or approve payments. Some banks mandate MFA for business accounts; treat those that do not as exceptions requiring a separate risk discussion.
4. Everything else
Once the three highest-risk categories have MFA, extend coverage to all remaining cloud services: CRM platforms, HR systems, file storage, development environments, DNS management consoles, and domain registrar accounts. Registrar accounts are high-value and rarely given MFA. An attacker who compromises your domain registrar account can redirect your entire domain's DNS.
If full MFA rollout faces internal resistance, start with Conditional Access policies that require MFA for logins from outside your office network. This imposes no friction for employees at their desks while protecting remote and mobile access. It is not a complete solution, since office network compromise is possible, but it eliminates the most common attack vector at zero end-user cost during the transition period.
Common deployment mistakes
An MFA deployment with gaps still gives attackers a path in. These are the four mistakes that create the largest ones.
SMS-only MFA on high-value accounts
Some organisations enable MFA and then accept SMS as the only factor option because it requires no app installation. For standard user accounts this is a trade-off. For executives, finance staff, IT administrators, and anyone with access to sensitive data, it is an unacceptable risk. Segment your MFA requirements: require TOTP or FIDO2 for privileged and high-risk users, accept TOTP or push as a minimum for standard users, and block SMS for accounts that hold real power.
Not covering all users
MFA policies that exclude contractor accounts, shared service accounts, or "temporary" users create entry points. Attackers look for accounts outside the main policy scope. In Entra ID, check your Conditional Access policies for exclusions and audit them quarterly. Every excluded account should have a documented, time-limited business justification.
Allowing legacy authentication protocols
Legacy authentication protocols including Basic Auth for Exchange ActiveSync, IMAP, POP3, and SMTP Auth do not support MFA. They send credentials as a username and password with no mechanism for a second factor. If you enable MFA but leave these protocols active, an attacker with a stolen password can bypass MFA by connecting via IMAP. In Microsoft 365, block legacy authentication using a Conditional Access policy with the condition set to "Other clients" and the grant set to "Block access." Check the Entra ID sign-in logs for legacy authentication activity before blocking to identify devices or applications that need reconfiguration.
No backup codes or recovery plan
Users who lose their phone or hardware key and have no recovery path face a support call that can take hours to resolve, and pressure IT staff to bypass controls. Generate backup codes for every critical account, store them in a password manager or printed document in a secure location, and configure alternative authentication methods in Entra ID self-service password reset so users have a documented recovery path.
Microsoft 365 and Entra ID: specific guidance
Most Cyvra clients run Microsoft 365. The settings below address the key risks.
Security Defaults. In the Azure portal, open Entra ID (formerly Azure Active Directory), then Properties, then Manage Security Defaults. Enabling Security Defaults enforces MFA registration for all users, requires MFA for all admin operations, and blocks legacy authentication protocols. It is the fastest path to baseline protection and is free on all Microsoft 365 licences.
Conditional Access (requires Entra ID P1 or Microsoft 365 Business Premium). Conditional Access gives you granular control over when and how MFA is required. Key policies to create: require MFA for all users accessing any cloud app; require MFA from all locations (including trusted networks) for admins; block legacy authentication clients; and require a compliant or Entra ID-joined device for access to sensitive data. The Microsoft Secure Score dashboard in the Microsoft 365 Defender portal shows which of these policies are in place and scores their impact.
Number matching for push notifications. In Entra ID, go to Security, then Authentication Methods, then Microsoft Authenticator. Enable number matching to prevent MFA fatigue attacks. Microsoft has enabled this by default on new tenants since 2023, but verify it is active in your tenant.
Authentication methods policy. In Security, then Authentication Methods, review which methods each user group can register. Restrict SMS to user groups where you have reviewed and accepted the trade-off. Require FIDO2 or software OATH tokens for global admins and privileged identity roles.
Privileged Identity Management (PIM). Available with Entra ID P2 or Microsoft 365 E3/E5, PIM enforces just-in-time privileged access. Admins do not hold permanent global admin rights; they request elevation for a defined period, which triggers an MFA challenge and creates an audit log. This limits the blast radius of a compromised admin account to the active elevation window.
MFA converts a stolen password from a breach into a dead end. An attacker with your credentials but not your device gets nothing.
MFA and compliance frameworks
MFA appears by name or direct implication in every major SME-relevant security framework.
ISO 27001:2022, Annex A.8.5 (Secure Authentication) states that authentication controls must reflect the information classification of what is being accessed, and specifically calls out multi-factor authentication as a control measure for remote access and for access to sensitive systems. A.8.2 (Privileged Access Rights) requires that privileged accounts operate under tighter controls than standard users, which in practice the auditor community interprets as requiring MFA at minimum for all admin accounts.
Cyber Essentials (UK). The January 2022 update to Cyber Essentials requires MFA on all cloud services where technically supported, and on all remote access solutions. The Cyber Essentials Plus assessment includes a technical audit of authentication configuration. A finding of missing MFA on a cloud service or VPN is a direct failure against the scheme's access control requirement.
NIS2 (EU, Article 21). While NIS2 does not prescribe specific controls, Article 21 requires that essential and important entities implement "multi-factor authentication or continuous authentication solutions" as part of their baseline security hygiene. NIS2 names MFA directly, one of the few controls the regulation specifies. Dutch entities in scope for NIS2 and supervised by the NCSC-NL or sector regulators face enforcement where MFA is absent on internet-facing systems.
GDPR. GDPR does not mandate MFA by name, but Recital 83 and Article 32 require "appropriate technical and organisational measures" to protect personal data. Data Protection Authorities in the Netherlands (AP) and UK (ICO) have both cited absent MFA as a contributing factor in breach enforcement actions. Following a breach, the absence of MFA on the compromised account makes it harder to argue that you took appropriate technical measures.
During an ISO 27001 audit, your Entra ID Conditional Access policy export and sign-in logs are direct evidence for A.8.5. Export the policy definitions as JSON and keep them with your Statement of Applicability documentation. The sign-in logs showing MFA challenges and successes demonstrate the control is operating, not just configured.