Stolen credentials are the easiest way into a company. Phishing emails and leaked password lists supply attackers with fresh material every day, and a single password does little to counter this. Multi-factor authentication (MFA) addresses this weak point: the login requires additional, independent proofs that are much harder to steal remotely. Hardly any other measure reduces the risk of account takeovers so effectively at comparatively low effort.
What is multi-factor authentication?
Multi-factor authentication means that a login requires at least two proofs from different categories. The classic categories are knowledge, that is a password or PIN; possession, such as a smartphone, a smart card, or a security key; and biometrics such as a fingerprint or facial recognition. The independence of the factors is decisive: two passwords do not constitute MFA, because both come from the same category and can be stolen the same way. Only the combination of different categories forces attackers to overcome several hurdles at once, for example to intercept a password and additionally get hold of the target person's smartphone. In everyday use, MFA appears as an additional prompt after the password, behind which stands a separate, technically independent proof.
How does MFA work?
All methods share the same sequence: after the first factor, the service requests a second proof and grants access only after checking it. The methods differ considerably, however, in convenience and protective effect:
- TOTP apps: An authenticator app generates time-based one-time codes that are entered in addition to the password. A solid basis, but interceptable on fake login pages.
- Push confirmation: A login attempt triggers a message on the smartphone that the user confirms. Variants with number matching make it harder to tap it away thoughtlessly.
- Hardware tokens: A separate device generates codes or confirms requests. The factor stays separate from the work computer and survives its compromise.
- FIDO2 and passkeys: Cryptographic key pairs are bound to the real web address of the service. A recreated phishing page simply receives no valid response, which is why these methods are considered phishing-resistant.
- SMS codes: One-time codes by SMS are better than a password alone, but are considered the weakest variant because of attacks such as SIM swapping.
- Backup methods: Recovery codes and fallback factors prevent a lost smartphone from locking out employees. Weak recovery paths undermine strong factors and therefore belong in the concept from the start.
All confirmation methods have one limit: in what is known as MFA fatigue, attackers who already have the password bombard the target person with push requests until one of them is confirmed out of annoyance. Number matching, limited attempts, and the switch to FIDO2 defuse this pattern.
Why MFA matters
- Stolen passwords alone are no longer enough for an account takeover.
- Phishing-resistant methods such as FIDO2 remove the basis from fake login pages.
- Remote access and admin consoles are an easy target without a second factor.
- Cyber insurers and auditors now regularly require MFA for critical access.
- The NIS-2 Directive explicitly lists MFA in its catalog of measures for risk management.
- Its introduction is inexpensive relative to the protective effect and quick to implement.
Typical scenarios
- All accounts of the cloud workplace are made subject to mandatory MFA, starting with administrators and mailboxes with far-reaching permissions.
- Remote access via ZTNA or VPN requires, in addition to the password, a confirmation via app or security key.
- Administrative access to servers and network equipment is switched to hardware keys.
- A company introduces passkeys for employees and thereby also reduces the effort for password resets.
- External service providers are granted access only after logging in with a second factor.
MFA or 2FA: where is the difference?
Two-factor authentication (2FA) is a special case of MFA: exactly two factors, while MFA as an umbrella term allows two or more. Every 2FA is therefore an MFA, but the reverse does not necessarily hold. More important for practice than the number is the quality of the factors. A password plus SMS code is formally 2FA, but protects considerably more weakly than a passkey on a registered device. Anyone formulating security requirements should therefore name specific methods instead of prescribing only the number of factors. Regulators follow this logic too and increasingly require methods that hold up against phishing. For access that especially needs protection, the step to phishing-resistant methods is worth more than a third factor.
MFA at KAEMI
KAEMI anchors MFA where it has the greatest effect in the enterprise network: in access to applications and infrastructure. In projects around SASE/SSE: Secure Access , login with strong factors becomes the prerequisite for every connection, with identity and device state checked together. This creates an access model in which a stolen password alone no longer opens a way into the enterprise network. For introduction and rollout, KAEMI provides support as part of Professional & Managed Services , from selecting suitable methods to connecting existing directory services. If you would like to introduce MFA for remote access or administrative access, talk to us .