Practice : Multi-Factor Authentication (MFA)

Purpose and Strategic Importance

Multi-Factor Authentication (MFA) significantly strengthens access security by requiring users to provide two or more verification factors to gain access. It mitigates the risk of compromised credentials and is a foundational control in Zero Trust and modern cybersecurity architectures.

MFA protects systems, data, and user accounts from common attack vectors like phishing, credential stuffing, and brute-force attacks - offering an effective, low-friction way to improve enterprise security posture.

Description of the Practice

  • MFA requires at least two of the following: something you know (e.g. password), something you have (e.g. mobile device, hardware token), and something you are (e.g. biometrics).
  • Common implementations include app-based authenticators (e.g. Microsoft Authenticator, Google Authenticator), SMS codes, and hardware keys (e.g. YubiKey).
  • MFA is enforced at key entry points: workforce applications, admin tools, CI/CD systems, cloud infrastructure, and remote access platforms.

How to Practise It (Playbook)

1. Getting Started

  • Prioritise high-value and high-risk access points for initial MFA rollout (e.g. admin consoles, production environments).
  • Choose an MFA provider compatible with your identity systems (e.g. Okta, Azure AD, Duo).
  • Communicate clearly to users - why MFA is needed, how to enrol, and what to expect.
  • Provide fallback and recovery options to reduce friction during rollout.

2. Scaling and Maturing

  • Make MFA mandatory for all privileged accounts and remote access.
  • Extend MFA to developers, contractors, and third parties using SSO or federated access.
  • Implement context-aware MFA (e.g. require only under high-risk conditions or from untrusted devices).
  • Monitor MFA adoption and usage rates, and analyse login behaviour to detect bypass attempts or anomalies.

3. Team Behaviours to Encourage

  • Consider MFA as table stakes - not an optional or burdensome add-on.
  • Support users proactively during rollout to build trust and adoption.
  • Periodically review enforcement coverage and exceptions.
  • Integrate MFA into incident response, threat modelling, and identity reviews.

4. Watch Out For…

  • Poor user experience leading to resistance or workarounds.
  • Over-reliance on weaker second factors (e.g. SMS-based MFA).
  • Unprotected APIs or system accounts that bypass MFA.
  • No clear processes for lost devices, token resets, or emergency access.

5. Signals of Success

  • High MFA adoption and low support friction.
  • Reduced risk from credential-based attacks or account takeovers.
  • Seamless integration with identity providers and SSO flows.
  • MFA coverage includes all privileged access paths and critical systems.
  • Leadership champions MFA as a business enabler, not just a control.