Cybersecurity Awareness Month: MFA matters more than ever

October is Cybersecurity Awareness Month (CAM), a global initiative dedicated to raising awareness about online safety. CAM is an annual reminder that cybersecurity is built on four foundational practices that every organization must follow to stay secure. 

Of these core practices, enabling multifactor authentication (MFA) is one of the most effective ways to protect your accounts and data. The National Cybersecurity Alliance reports that enabling MFA can prevent 99% of automated hacking attacks.  MFA is not infallible though, so let’s take a closer look at what it is, how it works, and how we can make the most of this practice.

What Is MFA and How Did It Come About?

MFA is a security process that requires users to verify their identity using two or more independent factors. These factors fall into several categories:

• Knowledge: Something you know (password, PIN, security question)
• Possession: Something you have (smartphone, hardware token, smart card, one-time password)
• Inherence: Something you are (fingerprint, face ID, voice recognition)
• Location and behavior: Somewhere you are (location, IP address, geofencing; used in adaptive MFA)

We don’t have an exact origin for MFA, but the idea has been around for decades. Automated Teller Machines (ATMs) are commonly cited as the first mainstream use of MFA because they required the possession of a physical cheque or card and the knowledge of the PIN. You had to have both to gain access to the associated account.

This security practice didn’t become known as MFA until much later, when regulatory and standards bodies began including it as a control. As online services and cyberthreats increased, MFA grew as a cybersecurity tool and expanded to include mobile apps, biometrics, and the adaptive risk-based (contextual) checks used in zero trust environments.

MFA and two-factor authentication (2FA) are sometimes used interchangeably, but they are two different practices. 2FA requires exactly two factors from separate categories, and this is what many consumer applications use to secure customer logins. MFA can combine two or more types of credentials, such as a password, a mobile device or a biometric check. Deploying more than two factors or contextual checks is much more secure than 2FA.

How attackers bypass 2FA / MFA

Attackers have been getting better at bypassing MFA security. Here are some of the ways they’ve been circumventing the second authentication:  

• Phishing kits like Whisper 2FA that can intercept one-time codes.
• Adversary-in-the-middle (AiTM) or proxy attacks that can relay credentials and MFA codes to attackers in real time. These attacks intercept traffic and manipulate authentication.
• MFA fatigue/push bombing is an attack that floods users with repeated login/MFA prompts. This tactic works when people approve the login just to get the alerts to stop.
• SIM swap attacks involve threat actors hijacking phone numbers to intercept authorization codes. Here’s one example of a SIM swap against the US Security and Exchange Commission.
• Help desk/social engineering scams, where threat actors impersonate users to trick IT staff into granting access to an account.

You can defend against these attacks phishing-resistant MFA (hardware keys, app-based authenticators), educate users about push fatigue and phishing, and harden help desk and account recovery procedures.

Deploying and managing MFA

A successful MFA rollout starts with strategy and user training. Educate users about credential attacks and why MFA is such an important defense. Like any IT project, stakeholder support will make the rollout much smoother. Working with the stakeholders will also help you determine risk levels and MFA requirements for users and groups.

When you’re ready to deploy, start with the privileged accounts. Protect the administrative and executive accounts before extending to the rest of the users. Be sure to cover everything–VPNs, email, remote access, SaaS and cloud applications, etc. If appropriate, use stronger authentication for higher-risk accounts.

If possible, deploy single sign-on (SSO), adaptive MFA, and push-based authentication to make secure authentication easy on the users. And don’t forget to establish secure recovery policy and backup options, ongoing user training and offboarding for departing employees.

Beyond MFA: Zero Trust Access

While MFA is a critical layer of defense, zero trust access goes further. Zero trust assumes that no user or device is inherently trusted, even inside the network. Modern zero-trust platforms, such as Barracuda SecureEdge Zero Trust Access, combine MFA with advanced access controls to block unauthorized access—even if attackers have valid credentials or session tokens.

Cybersecurity is a shared responsibility. Enabling MFA is one of the simplest and most effective steps you can take to protect yourself and your organization. As phishing kits and adversary-in-the-middle attacks become more sophisticated, it’s essential to use strong, phishing-resistant MFA and consider moving toward zero trust access for even greater protection.