In September 2023, MGM Resorts lost an estimated $100 million after a threat actor bypassed their security by socially engineering a helpdesk employee into resetting MFA credentials. Let that sink in. The company had multi-factor authentication. It still wasn't enough — because the multi-factor authentication setup and the processes surrounding it had critical gaps.

That's the reality I see over and over again. Organizations check the MFA box and assume they're protected. But a sloppy implementation is almost worse than none at all, because it creates a dangerous false sense of security. This guide is about doing it right — the practical, step-by-step way to set up MFA so it actually stops attackers.

Why Multi-Factor Authentication Setup Fails More Often Than You Think

According to the FBI IC3 2022 Internet Crime Report, business email compromise alone accounted for over $2.7 billion in losses. A massive percentage of those attacks started with credential theft — stolen usernames and passwords used to log in as a legitimate employee.

MFA is designed to stop exactly that. Even if an attacker has your password, they need a second factor — a code, a push notification, a hardware key — to get in. The problem? Most organizations deploy MFA with default settings, skip critical user groups, or choose weak second factors that attackers have learned to defeat.

I've audited environments where MFA was "fully deployed" but admin accounts were exempted for convenience. I've seen companies rely entirely on SMS-based codes — a method NIST has flagged as vulnerable to SIM-swapping since 2017. These aren't edge cases. They're the norm.

What Actually Counts as Multi-Factor Authentication?

This is a common search question, so let me answer it directly. Multi-factor authentication requires at least two of these three categories:

  • Something you know — a password, PIN, or security question answer.
  • Something you have — a phone, hardware security key, or smart card.
  • Something you are — a fingerprint, face scan, or other biometric.

Using two passwords is not MFA. Using a password plus a security question is not MFA — both are "something you know." True MFA crosses categories. A password (know) plus an authenticator app code (have) qualifies. A password plus a fingerprint scan qualifies. Get this wrong and your entire setup is theater.

The 7-Step Multi-Factor Authentication Setup That Actually Works

Here's the process I walk organizations through. It's not glamorous, but it closes the gaps that get people breached.

Step 1: Inventory Every Authentication Point

Before you configure anything, map every place users authenticate. This means your email platform, VPN, cloud apps (Microsoft 365, Google Workspace, AWS console), internal line-of-business applications, remote desktop gateways, and any SaaS tools with company data.

The number one mistake I see is partial deployment. If your CRM doesn't have MFA but contains customer data, an attacker will find it. Every authentication point is an entry point.

Step 2: Choose the Right MFA Methods — and Rank Them

Not all second factors are equal. Here's the hierarchy, from strongest to weakest:

  • FIDO2/WebAuthn hardware keys (YubiKey, Google Titan) — phishing-resistant, no codes to intercept.
  • Authenticator apps with number matching (Microsoft Authenticator, Google Authenticator) — strong, especially with push number matching that defeats MFA fatigue attacks.
  • Standard authenticator app TOTP codes — solid, but users can be socially engineered into reading codes aloud.
  • SMS/voice codes — better than nothing, but vulnerable to SIM-swapping and SS7 interception. NIST SP 800-63B has restricted SMS as an authenticator since 2017.

My recommendation: use hardware keys for administrators and high-privilege accounts. Use authenticator apps with number matching for everyone else. Phase out SMS entirely within 12 months.

Step 3: Start with High-Risk Accounts

Deploy MFA to these groups first, with zero exceptions:

  • Domain admins and IT staff
  • C-suite and executive assistants
  • Finance and accounts payable
  • Anyone with access to customer PII or payment data
  • Any account with the ability to create or modify other accounts

The MGM breach I mentioned earlier targeted the helpdesk — an account with the power to reset other people's credentials. High-privilege accounts aren't just sysadmins. Think about who can change things for other people.

Step 4: Enforce MFA at the Identity Provider Level

If you're using Azure AD (now Entra ID), Okta, Google Workspace, or any identity provider, enforce MFA through conditional access policies at that level — not at each individual app. This gives you centralized control and prevents gaps where one app has MFA and another doesn't.

Set conditional access policies that require MFA for all users, all apps, all locations. Then create narrow exceptions only where technically necessary — and document every one.

Step 5: Eliminate MFA Fatigue Attack Vectors

In the 2022 Uber breach, an attacker spammed a contractor's phone with push notifications until the person approved one just to make it stop. That's MFA fatigue, and it works disturbingly well.

Counter it by enabling number matching on push notifications. Instead of a simple "Approve/Deny," the user sees a two-digit number on their login screen and must type it into their phone. This simple change destroys the fatigue attack because the user has to actively look at the login page — which they won't have open if they didn't initiate the request.

Step 6: Secure the MFA Recovery and Reset Process

This is where MGM got burned. Your MFA is only as strong as your reset process. If an attacker can call your helpdesk, impersonate an employee, and get MFA removed from an account, your entire investment is worthless.

Implement these controls:

  • Require in-person or video-verified identity confirmation for MFA resets on high-privilege accounts.
  • Use a secondary verification channel — if someone calls the helpdesk, verify via a separate Teams/Slack message to the user's known account.
  • Log and alert on all MFA removal events. Treat them like security incidents until proven otherwise.
  • Never allow a single helpdesk agent to unilaterally disable MFA on any admin account.

Step 7: Train Your People — Because Social Engineering Doesn't Stop at the Login Page

The strongest multi-factor authentication setup in the world can be undermined by a well-crafted phishing email or a smooth-talking social engineering call. Your users need to understand why MFA matters, what MFA fatigue attacks look like, and how to report suspicious push notifications.

This is where ongoing security awareness training becomes essential. I recommend enrolling your team in cybersecurity awareness training that covers real-world attack scenarios, including credential theft, social engineering, and the specific ways attackers target MFA. Pair that with regular phishing awareness training with simulated attacks so employees experience realistic phishing simulations before a real threat actor tests them.

The Zero Trust Connection: MFA Is Layer One, Not the Whole Stack

Multi-factor authentication is the foundation of any zero trust architecture — but it's only the first layer. Zero trust means "never trust, always verify," and MFA handles the verify part at login. But what about after login?

A complete zero trust approach adds continuous verification: device health checks, network segmentation, least-privilege access, and behavioral analytics that flag unusual activity even from authenticated sessions. If a user authenticates with MFA at 9 AM in Chicago and then makes an API call from a Romanian IP at 9:15 AM, something is wrong — and your systems should catch that.

The CISA Zero Trust Maturity Model provides an excellent framework for understanding where MFA fits into the bigger picture. Use it as a roadmap.

Common MFA Deployment Mistakes I See Every Month

Exempting Service Accounts

Service accounts often have broad permissions and long-lived credentials. They're prime targets. If a service account can't support interactive MFA, restrict it by IP allowlist, use certificate-based authentication, and monitor it aggressively.

Ignoring Legacy Protocols

Older protocols like IMAP, POP3, and SMTP basic auth don't support MFA at all. If your environment still allows these, attackers can bypass MFA entirely by authenticating through a legacy channel. Disable legacy authentication protocols. In Microsoft 365, this is a conditional access policy toggle. Do it today.

Not Monitoring MFA Events

If you aren't alerting on failed MFA attempts, MFA resets, and new MFA device registrations, you're flying blind. A burst of failed MFA attempts against one account is a credential stuffing attack in progress. A new MFA device registered to an admin account at 2 AM is a red flag. Build these alerts.

Treating MFA as a One-Time Project

New employees join. New apps get added. Mergers and acquisitions bring in entire environments with their own authentication stacks. MFA coverage must be audited quarterly at minimum. I recommend adding MFA coverage to your security dashboard right next to patch compliance and vulnerability counts.

What About Passwordless? Is MFA Still Relevant?

Passwordless authentication — using FIDO2 keys or device-bound biometrics as the primary factor — is the direction the industry is heading. Microsoft, Google, and Apple all pushed passkey support hard in 2023. But passwordless doesn't eliminate MFA. It replaces the weakest factor (the password) with a stronger one.

For most organizations in 2024, the practical move is to deploy strong MFA now and plan a passwordless roadmap for the next 18-24 months. Don't let perfect be the enemy of deployed. Get MFA right today, and you'll have the foundation to go passwordless when your environment is ready.

The Real Cost of Skipping MFA Setup

The 2023 Verizon Data Breach Investigations Report found that stolen credentials were involved in roughly 50% of all breaches. The IBM Cost of a Data Breach Report 2023 put the global average breach cost at $4.45 million. For organizations using strong MFA and zero trust principles, that number dropped significantly.

These aren't abstract numbers. They're legal fees, forensic investigation costs, regulatory fines, customer notification expenses, and the incalculable damage of lost trust. A properly executed multi-factor authentication setup is one of the highest-ROI security investments any organization can make.

Your MFA Checklist — Start This Week

  • Inventory all authentication points across cloud, on-prem, and SaaS applications.
  • Deploy hardware security keys to all admin and high-privilege accounts.
  • Enable authenticator apps with number matching for all remaining users.
  • Disable SMS-based MFA and legacy authentication protocols.
  • Enforce MFA through your identity provider's conditional access policies.
  • Harden your helpdesk MFA reset process with multi-channel verification.
  • Build alerts for failed MFA, MFA resets, and new device registrations.
  • Audit MFA coverage quarterly.
  • Enroll your organization in phishing simulation training to test employee resilience against social engineering and credential theft attacks.
  • Launch ongoing cybersecurity awareness training so every employee understands the role they play in identity security.

Multi-factor authentication isn't a product you buy. It's a discipline you maintain. The threat actors targeting your organization right now have playbooks specifically designed to defeat lazy MFA deployments. Your job is to make sure your setup isn't lazy — and to keep pressure-testing it every quarter with simulations, audits, and training that reflects the threats of 2024, not 2019.

Start with the checklist above. You'll close more gaps in a week than most organizations close in a year.