Alex - stock.adobe.com
Common MFA mistakes -- and how to fix them
Attackers have adapted their techniques to circumvent an organization's MFA controls. When they succeed, it's usually because MFA wasn't properly set up or managed.
MFA has long been one of the most effective security controls an organization can deploy. It's inexpensive compared to many security technologies, relatively easy to implement and capable of stopping a large percentage of credential-based attacks.
It's not a coincidence that nearly every security framework and cyber insurance policy recommends or requires MFA. Even so, simply checking the MFA-enabled box doesn't mean an organization is adequately protected from attack. In many breaches, the victimized organization had MFA in place, and the flaw usually wasn't in the technology itself.
The trouble often results from how MFA was deployed, configured or managed over time. Like any security control, MFA is only as effective as its implementation.
Let's look at some common ways MFA can go wrong.
Mistake #1: Assuming MFA provides complete coverage
Problem: One of the biggest mistakes organizations make is believing MFA is universally enforced. In reality, it's common to find exceptions that have accumulated over time. Service accounts, legacy applications, VPN appliances, privileged administrator accounts, emergency access accounts and older authentication protocols are often excluded because they were difficult to migrate or were temporarily exempted during deployment. It's also not uncommon for some high-level executives or other key stakeholders to be granted exemptions because they find MFA a nuisance.
Attackers don't care whether 98% of a target's users have MFA -- they'll find that 2%.
Solution: Periodically review authentication policies and identify accounts, applications or protocols that bypass MFA requirements, and, at minimum, enable more rigorous monitoring on these accounts.
Mistake #2: Relying on weak authentication factors
Problem: Not all MFA methods provide the same level of protection. SMS-based one-time codes remain common, but they're increasingly vulnerable to SIM swapping, phishing and social engineering schemes. Email-based verification introduces many of the same weaknesses if the email account itself becomes compromised.
Solution: Prioritize phishing-resistant methods whenever possible, such as FIDO2 security keys, passkeys, Windows Hello for Business or platform authenticators built into endpoint devices. These are much more difficult for attackers to outmaneuver.
Mistake #3: Giving in to MFA fatigue
Problem: Push notifications made MFA easier for users, but they also created an opportunity for attackers. In an MFA fatigue attack, malicious hackers bombard users with repeated approval requests, assuming that someone will eventually tap "Approve" simply to make the notifications stop. Combined with convincing social engineering, this technique successfully bypassed MFA in several high-profile breaches in recent years.
Solution: Many modern authentication platforms have implemented number matching, location awareness and additional verification steps. These features can significantly reduce accidental approvals. Enable them wherever possible.
Mistake #4: Neglecting session security
Problem: Many organizations focus heavily on the login process but pay far less attention to what happens afterward. If an attacker steals an authenticated browser session or access token, they might not need to authenticate again at all. Instead of passwords, nefarious actors increasingly target session cookies, OAuth tokens and browser credentials.
Solution: Most security teams now recognize that identity protection needs to extend beyond initial MFA entry. Conditional-access policies, device trust, session expiration, continuous-access evaluation and token protection all help reduce the risk of session hijacking.
Mistake #5: Forgetting about privileged accounts
Problem: It's understood that admin accounts deserve stronger protection than standard users, though security teams don't always put this into practice. If attackers compromise some types of privileged accounts, they might be able to disable MFA controls for selected targets or everyone in an organization.
Solution: Global administrators for SaaS platforms, cloud infrastructure administrators, domain administrators and privileged help desk accounts need the strongest available authentication methods. Hardware security keys, phishing-resistant MFA, dedicated administrative workstations and privileged access management (PAM) tools significantly reduce risk.
Mistake #6: Treating MFA as a one-time project
Problem: Organizations often invest heavily in an MFA rollout and then move on to the next initiative. Unfortunately, environments don't stand still. New SaaS applications are introduced, business acquisitions occur, legacy systems remain in production, developers create service accounts and so on. It's not uncommon for exceptions to accumulate.
Solution: Conduct periodic reviews that ask:
- Which users are still exempt from MFA?
- Which applications don't support modern authentication?
- Are stronger authentication methods available?
- Have risky authentication patterns changed?
- Are conditional access policies still aligned with business requirements?
Treat MFA as an operational security program rather than a completed project.
Mistake #7: Preparing for AI-assisted social engineering
Problem: Attackers are getting better at persuading users to approve authentication requests, often aided by AI. AI-generated phishing emails, realistic voice cloning and other deepfakes, as well as highly personalized social engineering, make it easier to trick users into approving MFA prompts or sharing authentication codes.
Solution: These problems make user education even more important. Employees should understand that security teams, help desks or vendors should never ask them to approve an unexpected MFA request or provide a verification code over the phone. To reinforce this, frequently update awareness training.
MFA is a foundation, not a finish line
Despite these challenges, MFA remains one of the most effective security controls available. Organizations should view MFA as one component of a broader identity security strategy that includes phishing-resistant authentication, conditional access, PAM, session protection, continuous monitoring and regular policy reviews.
When implemented thoughtfully and maintained over time, MFA stops countless attacks every day. The organizations that get the most value from MFA are the ones that recognize it's not a "final state" for authentication. Instead, it's one of the core foundations of a stronger identity security program.
Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.