Multi-factor authentication

You can authenticate with something you know, something you have, or something you are. Multi-factor authentication (MFA) improves security by requiring two or more of these methods.


In order to authenticate to a system, you need to prove who you are by providing something you know, something you have, or something you are. The most common method of authentication is a password, something you know. The problem is that to remember the multitude of passwords, staff often reuse passwords or use passwords that are easy to guess.

Attackers can steal creds in many different ways, such as:

  • running phishing campaigns focusing on harvesting credentials via a fake login page
  • getting credential dumps from websites like Pastebin
  • using tools inside your network to obtain credentials like Mimikatz.

We’ve seen incidents where attackers have gained access to systems using stolen credentials. These incidents could’ve been prevented by having a second factor of authentication. Two common methods of MFA are using a one-time password (OTP) from a device, or a universal 2nd factor (U2F) security key device like a YubiKey.


Organisations have secure MFA methods configured and enabled across all accounts on internet-facing and administrative services.

Measuring success

There are multiple secure authentication combinations that can be used for MFA. Regardless of the combinations, the goals of this control are below:

  • All internet-facing and administrative services require users to enable MFA to access the system. Users are not able to access these systems without MFA.
  • The MFA methods you use do not have known vulnerabilities and are not deprecated by standard setting bodies, such as NIST External Link .
  • For systems your organisation owns and manages, the MFA authentication module you use is kept up-to-date. Any related dependencies of the module are also kept up-to-date. The infrastructure that the module runs on is hardened (unused ports are blocked and it is patched).
  • logs are recorded and stored in a central location to capture:
  1. changes to MFA configurations and policies, and
  2. suspicious, denied, or bypassed authentication attempts.

Multi-factor authentication: key takeaways

  • Although it can take a lot of time to educate users about the process and to get the system configured, this control would stop most of the unauthorised access incidents that we see.
  • If you use systems that don’t allow you to set up MFA, assess the risk of unauthorised access to these systems. If they’re accessible over the internet, they’re at a much higher risk of unauthorised access. You may want to consider alternative systems that do allow MFA instead.
  • Some MFA methods are easier to bypass, like codes sent by SMS, and are considered deprecated by the information security industry. Notifications sent over SMS can be intercepted and sent to an unauthorised person. If a notification by SMS is the only method available it is better than not having it at all.
  • Review methods available, some are better than others. Methods using OTP are vulnerable to phishing or social engineering. U2F methods are the safest.
  • Using MFA can give you insights into what’s happening at the perimeter of your systems. MFA logs can show:
    • suspicious logins from unusual IPs or locations
    • denied authentication attempts
    • multiple unfinished authentication attempts.

These actions can be indicators of active threats that are targeting your organisation. You can feed these into your incident management process.

Advice for implementation

Implementing multi-factor authentication