MFA Adds an Extra Layer of Security to Minimize Risk

A secure cyber program starts with good credentials. Every organization should encourage employees to create strong passwords that are long, random, and never used twice or use a password manager to generate strong passwords. Then, to add an extra layer of security, organizations should implement multifactor authentication (MFA). 

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that all organizations implement MFA, specifically phishing-resistant MFA, for every account and service. For Cybersecurity Awareness Month 2025 in October, CISA suggests all organizations take one action per day to improve their cybersecurity — and implementing MFA is a smart action to take to minimize risk, help protect data, and improve regulatory compliance. Let’s explore some of the broad questions your organization may have about MFA.

What is MFA?

MFA is an authentication method that requires a user to provide two or more factors, or forms of identification, during login. First, the user enters the username and password; second, the user is prompted for one or more other factors before being given access to the account. This extra step is important because, even if a threat actor has compromised a user’s password, the threat actor can’t log in without providing the second layer of authentication.

The factors used by MFA fall into three distinct categories, and each comes with its own pros and cons. 

• Knowledge factors involve something users know, such as passwords, four-digit PINs, code words, and answers to security questions. These factors are easy to use but are vulnerable to brute force attacks.

• Possession factors include something users have, such as physical objects like keys, smartphones, badges, drives, and token devices. These factors remain secure as long as the physical object is not lost or stolen.

• Inherence factors include something users are, or biometrics, such as fingerprints, facial recognition, retina scans, and voice recognition. Biometrics are unique and convenient for the user to use, but it’s important for organizations to collect and store this information in a protected environment.

Having MFA is also a legal requirement for specific industries and activities. For example, all U.S. federal agencies are required by executive order to implement MFA, and the Payment Card Industry Data Security Standard 4.0 mandates MFA for all business accounts that have access to the cardholder data environment. In addition, MFA is an “essential requirement” to obtain cyber insurance coverage, according to Sophos Guide to Cyber Insurance.

Why use phishing-resistant MFA?

Using MFA makes accounts more secure than using only a username and password, but MFA is not without risk. When it comes to the types of MFA, there’s a hierarchy of security, with phishing-resistant MFA — the MFA that CISA recommends — in the top position. Other types of MFA are, without doubt, better than not using MFA, but they can leave accounts vulnerable to attack. 

Threat actors use many methods to gain access to a user’s MFA credentials. The most prevalent attacks on MFA include:

• Phishing. This attack is used by threat actors to gain access to account credentials and ultimately work their way into networks. In a typical attack, a threat actor sends a fake email from a trusted source to a user to trick the user into clicking on a link that leads to a malicious website. The user enters the username, password, and authenticator code on the website’s login page, where the threat actor steals the user’s credentials.

• Push bombing. This attack, also known as MFA fatigue, requires that the threat actor already has the user’s username and password. With those credentials, the threat actor tries to log in to the user’s account to generate an MFA notification on the user’s device. The user may think the notification is legitimate and accept it, or the user may reject the notification, in which case, the threat actor sends continuous notifications to the user until the user finally accepts out of fatigue.

• Exploitation of Signaling System 7 (SS7) protocol vulnerabilities. Threat actors exploit this SS7 weakness to get MFA codes sent by text or voice to a phone.

• SIM swaps. Threat actors trick users into switching their existing service to a SIM card under their malicious control so that they can take over the user’s phone number to receive MFA notifications and gain access to the account. 

Phishing-resistant MFA is the highest standard for MFA, as it is the only MFA that’s resistant to phishing attacks. Push bombing, SS7, and SIM swap attacks do not apply to this type of MFA. Organizations can implement FIDO/WebAuthn authentication, the only widely available phishing-resistant MFA, which uses a password or biometric factor and asymmetic key cryptography to protect against phishing. This type of authenticator can use separate physical tokens connected to a device using a USB or can be embedded into a laptop or phone. 

Public key infrastructure (PKI)-based MFA is another form of phishing-resistant MFA. With PKI-based MFA, user credentials are kept in a security chip on a smart card, such as a federal government personal identity verification card, that is connected to the user’s login device.

Phishing-resistant MFA uses its multiple cryptographic measures to protect against other malicious threats too. It stops the use of authenticators at fake websites, removes the need for users to input information in online form fields, prevents threat actors from using stolen credentials in replay attacks, and keeps attackers from obtaining credentials and sending them to a fake website in a man-in-the-middle exploit.

What are other MFA options?

Some organizations can’t immediately implement phishing-resistant MFA because they have systems that do not support it, difficulty rolling it out to all employees at the same time, or issues about user resistance to using it. For those organizations, there are a few additional MFA options:

• Mobile push notifications with number matching. If phishing-resistant MFA is not an option for an organization, CISA recommends using mobile push notification with number matching. It’s an app-based authentication method that sends or “pushes” a notification with a series of numbers to the user’s phone or device. The user must enter the series of numbers to approve the request. This MFA option is vulnerable to phishing attacks but is resistant to push bombing. SS7 and SIM swap attacks do not apply.

• Token-based one-time passcode. This app-based authentication method generates a one-time passcode. The user must enter the passcode to prove possession of the token. This MFA option also is vulnerable to phishing attacks, is resistant to push bombing, and SS7 and SIM swap attacks do not apply.

• Mobile push notifications without number matching. This app-based authentication method pushes a notification to the user’s device, and the user simply opens the app and accepts the notification to approve the request. There are no numbers to enter. This MFA option is vulnerable to phishing and push bombing attacks, and SS7 and SIM swap attacks do not apply.

• SMS or voice. This MFA method sends a code to the user’s device, and the user retrieves it and uses it to log in. It’s vulnerable to phishing, SS7, and SIM swap attacks, and since there are no push notifications involved, push bombing does not apply. Organizations should only use this form of MFA as a temporary solution.

Do employees need training?

Offering ongoing user awareness training is one of the most critical steps an organization can take to improve cybersecurity. Employees need to understand the importance of using MFA for every single account and service, and training does help. During training, employees can learn to identify possible phishing scams, recognize push bombing attacks, and report unknown notification requests to keep the organization protected from cyberattacks.

Conclusion

Every organization should encourage its employees to use strong passwords for login and implement MFA for an extra layer of security. Using MFA, particularly phishing-resistant MFA, can help minimize your organization’s risk of a cyberattack to protect your sensitive data and improve regulatory compliance.

Ready to strengthen your organization's cybersecurity and ensure compliance? Visit our Compliance page to learn how Pondurance can help you implement robust security measures to protect your sensitive data and meet industry regulations.