Multifactor Authentication

Also known as:

  • MFA
  • 2FA
  • 2-Step Verification (2SV)

What problem does it target?

Protects against weaknesses in traditional password-based authentication, mainly:

  • Weak or easy-to-guess passwords
  • Stolen credentials through phishing or reuse

Phishing-resistant MFA specifically helps prevent phishing attacks, which many standard MFA methods are still vulnerable to.

What does this solution do?

MFA enforces at least two authentication factors during login.

Common Factors

Regular MFA:

  • Password
  • SMS (one-time password)
  • Email (one-time password)
  • Email (magic link)
  • Authenticator app with time-based one-time password (TOTP), e.g., Google Authenticator
  • App push notification, possibly with number matching

Phishing-resistant MFA:

  • Only allow managed devices to connect
  • FIDO2-compliant hardware token (e.g., Yubikey)

Who is this for?

  • Regular MFA – suitable for almost any user authentication use case
  • Phishing-resistant MFA – recommended when:
    • Phishing is a known risk
    • Systems are critical
    • Users hold high privileges
    • The org has a high security bar

Who might not benefit from this?

  • Systems where low friction is a top business requirement (e.g., eCommerce)
  • Very low risk systems that don’t warrant additional auth layers

Pitfalls and remedies

Pitfall Remedy
Coverage – MFA is not covering all user identities or apps Maintain a current application inventory.

Implement a centralized SSO solution.

Onboard as many applications as possible into SSO and enforce SSO-only logins (no unmanaged local accounts).

Review authentication policies regularly.

Use SSPM tools to automate these reviews.
Factor selection – Weak or misaligned factor combinations Ensure the selected factors match the risk level of the user and application.

Use phishing-resistant methods for admin or sensitive accounts.

Sample products

Regular MFA

  • Built into many business and consumer apps
  • Microsoft Entra ID
  • Okta Single Sign-On (SSO)

Phishing-resistant MFA

  • Microsoft Entra ID Passwordless authentication
  • Okta FastPass
  • Yubikey

All trademarks are property of their respective owners.
Copyright © 2025 Deepblue Consulting – All rights reserved.