Multi-Factor Authentication (MFA)

Stolen credentials are the easiest way into a company. Phishing emails and leaked password lists supply attackers with fresh material every day, and a single password does little to counter this. Multi-factor authentication (MFA) addresses this weak point: the login requires additional, independent proofs that are much harder to steal remotely. Hardly any other measure reduces the risk of account takeovers so effectively at comparatively low effort.

What is multi-factor authentication?

Multi-factor authentication means that a login requires at least two proofs from different categories. The classic categories are knowledge, that is a password or PIN; possession, such as a smartphone, a smart card, or a security key; and biometrics such as a fingerprint or facial recognition. The independence of the factors is decisive: two passwords do not constitute MFA, because both come from the same category and can be stolen the same way. Only the combination of different categories forces attackers to overcome several hurdles at once, for example to intercept a password and additionally get hold of the target person's smartphone. In everyday use, MFA appears as an additional prompt after the password, behind which stands a separate, technically independent proof.

How does MFA work?

All methods share the same sequence: after the first factor, the service requests a second proof and grants access only after checking it. The methods differ considerably, however, in convenience and protective effect:

  • TOTP apps: An authenticator app generates time-based one-time codes that are entered in addition to the password. A solid basis, but interceptable on fake login pages.
  • Push confirmation: A login attempt triggers a message on the smartphone that the user confirms. Variants with number matching make it harder to tap it away thoughtlessly.
  • Hardware tokens: A separate device generates codes or confirms requests. The factor stays separate from the work computer and survives its compromise.
  • FIDO2 and passkeys: Cryptographic key pairs are bound to the real web address of the service. A recreated phishing page simply receives no valid response, which is why these methods are considered phishing-resistant.
  • SMS codes: One-time codes by SMS are better than a password alone, but are considered the weakest variant because of attacks such as SIM swapping.
  • Backup methods: Recovery codes and fallback factors prevent a lost smartphone from locking out employees. Weak recovery paths undermine strong factors and therefore belong in the concept from the start.

All confirmation methods have one limit: in what is known as MFA fatigue, attackers who already have the password bombard the target person with push requests until one of them is confirmed out of annoyance. Number matching, limited attempts, and the switch to FIDO2 defuse this pattern.

Why MFA matters

  • Stolen passwords alone are no longer enough for an account takeover.
  • Phishing-resistant methods such as FIDO2 remove the basis from fake login pages.
  • Remote access and admin consoles are an easy target without a second factor.
  • Cyber insurers and auditors now regularly require MFA for critical access.
  • The NIS-2 Directive explicitly lists MFA in its catalog of measures for risk management.
  • Its introduction is inexpensive relative to the protective effect and quick to implement.

Typical scenarios

  • All accounts of the cloud workplace are made subject to mandatory MFA, starting with administrators and mailboxes with far-reaching permissions.
  • Remote access via ZTNA or VPN requires, in addition to the password, a confirmation via app or security key.
  • Administrative access to servers and network equipment is switched to hardware keys.
  • A company introduces passkeys for employees and thereby also reduces the effort for password resets.
  • External service providers are granted access only after logging in with a second factor.

MFA or 2FA: where is the difference?

Two-factor authentication (2FA) is a special case of MFA: exactly two factors, while MFA as an umbrella term allows two or more. Every 2FA is therefore an MFA, but the reverse does not necessarily hold. More important for practice than the number is the quality of the factors. A password plus SMS code is formally 2FA, but protects considerably more weakly than a passkey on a registered device. Anyone formulating security requirements should therefore name specific methods instead of prescribing only the number of factors. Regulators follow this logic too and increasingly require methods that hold up against phishing. For access that especially needs protection, the step to phishing-resistant methods is worth more than a third factor.

MFA at KAEMI

KAEMI anchors MFA where it has the greatest effect in the enterprise network: in access to applications and infrastructure. In projects around SASE/SSE: Secure Access , login with strong factors becomes the prerequisite for every connection, with identity and device state checked together. This creates an access model in which a stolen password alone no longer opens a way into the enterprise network. For introduction and rollout, KAEMI provides support as part of Professional & Managed Services , from selecting suitable methods to connecting existing directory services. If you would like to introduce MFA for remote access or administrative access, talk to us .

Frequently asked questions about Multi-Factor Authentication (MFA)

What counts as an independent factor in MFA?

An independent factor comes from its own category: knowledge such as a password, possession such as a smartphone or security key, biometrics such as a fingerprint. Two proofs from the same category, for example password and security question, do not constitute real MFA. The technical separation is also important: if the password and the code generator are on the same compromised device, the gain shrinks considerably.

Which MFA methods are considered phishing-resistant?

Methods based on FIDO2, that is passkeys and hardware security keys, as well as certificate-based logins with smart cards. They bind the proof cryptographically to the real address of the service, so a recreated login page gets no usable response. One-time codes from apps or by SMS, by contrast, can be intercepted on phishing pages and reused in real time.

What is MFA fatigue and what helps against it?

MFA fatigue refers to attacks in which perpetrators with a stolen password trigger push requests until the annoyed target person confirms one of them. What helps against it: number matching between the login screen and the app, a limit on requests, training of staff, and in the long term the switch to FIDO2 methods, in which there is no longer a confirmable request.

Is SMS still acceptable as a second factor?

SMS codes are considerably better than a password alone, but the weakest MFA variant: they can be intercepted via SIM swapping, through vulnerabilities in the mobile network, or on phishing pages. Acceptable as an interim solution for accounts with low protection needs, but for administrators, remote access, and financial approvals you should switch to app-based methods or passkeys.

Does NIS-2 require the use of MFA?

The NIS-2 Directive explicitly counts multi-factor authentication and continuous authentication solutions among the measures of cyber risk management, whose use affected companies must assess and implement appropriately. For remote access, privileged accounts, and central administration systems, MFA is therefore effectively a given. How strict the implementation is depends on the risk and criticality of the respective systems.

Want to put this into practice in your own network? Talk to KAEMI, aligned to your requirements and with operations from a single source.