In September 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee into resetting credentials — for an account that lacked robust secondary verification. One phone call. One bypassed identity check. Nine-figure damage. If you've ever wondered what is multi-factor authentication and whether it actually matters, that single incident should settle the debate.
This post breaks down exactly how MFA works, why attackers specifically target organizations that skip it, and the practical steps you need to deploy it without driving your employees crazy. Whether you're an IT director or a small business owner who just got a cyber insurance renewal questionnaire, this is the guide you need right now.
What Is Multi-Factor Authentication, Exactly?
Multi-factor authentication requires a user to prove their identity using at least two distinct categories of evidence before granting access. Those categories are something you know (a password), something you have (a phone or hardware token), and something you are (a fingerprint or face scan).
A password alone is single-factor. Adding an SMS code makes it two-factor. Adding a biometric scan on top of that makes it three-factor. The key principle: compromising one factor shouldn't give an attacker the keys to the kingdom.
Here's what actually matters in practice — the factors must come from different categories. Two passwords aren't MFA. A password plus a security question isn't MFA either, because both are "something you know." I've seen organizations make this mistake more often than you'd think.
The $4.45M Reason You Can't Ignore MFA
According to IBM's 2023 Cost of a Data Breach Report, the global average cost of a data breach hit $4.45 million. Stolen or compromised credentials remained the most common initial attack vector, responsible for 16% of breaches — and those breaches took the longest to identify and contain, averaging 328 days.
Microsoft's own research has consistently shown that MFA blocks over 99.9% of automated credential attacks. That statistic alone should end every budget conversation about whether MFA is worth implementing.
The Cybersecurity and Infrastructure Security Agency (CISA) lists MFA as one of its top recommendations for every organization, regardless of size. It's not optional guidance — it's the baseline.
Credential Theft Is an Industry Now
The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involved the human element — social engineering, errors, or misuse. Phishing remains the primary delivery mechanism for credential theft, and attackers have industrialized it. You can buy stolen credential sets on dark web marketplaces for a few dollars per account.
Without MFA, a single successful phishing email gives a threat actor direct access to your systems. With MFA, that stolen password becomes useless on its own. That's the difference between a minor security event and a reportable data breach.
The Five Types of MFA You'll Actually Encounter
1. SMS and Voice Codes
The most common form. You log in with your password, then receive a one-time code via text or phone call. It works, but it's the weakest MFA option. SIM-swapping attacks — where an attacker convinces your carrier to port your number — can intercept these codes. The MGM breach involved social engineering at this exact layer.
2. Authenticator Apps
Apps like Microsoft Authenticator or Google Authenticator generate time-based one-time passwords (TOTP) that rotate every 30 seconds. These are significantly harder to intercept than SMS codes because they never travel over a phone network. I recommend these as the minimum standard for most organizations.
3. Push Notifications
Your phone displays a prompt asking "Did you just try to sign in?" and you tap Approve or Deny. Fast and user-friendly, but vulnerable to "MFA fatigue" attacks — where an attacker bombards you with push requests at 3 a.m. until you tap Approve just to make it stop. The 2022 Uber breach exploited exactly this technique.
4. Hardware Security Keys
Physical devices like YubiKeys that plug into USB or tap via NFC. They use the FIDO2/WebAuthn standard and are phishing-resistant by design — the key cryptographically verifies the legitimate site before responding, so a fake login page gets nothing. Google reported zero successful phishing attacks against its 85,000+ employees after deploying hardware keys.
5. Biometrics
Fingerprint scanners, facial recognition, iris scans. These work well as a local device unlock (your phone's Face ID, for example) but are rarely used as a standalone network authentication factor. They're typically combined with another factor — your fingerprint unlocks the authenticator app on your phone, which then generates the code.
Which MFA Method Should Your Organization Use?
This depends on your threat model, but here's my straightforward guidance based on what I've seen work across hundreds of deployments:
- Minimum viable MFA: Authenticator apps for all employees. This stops the vast majority of automated and opportunistic attacks.
- High-value accounts (admins, executives, finance): Hardware security keys. These roles are specifically targeted by sophisticated threat actors, and phishing-resistant MFA is the only appropriate control.
- Avoid if possible: SMS-only MFA. It's better than nothing, but it's a known-weak control. If your cyber insurer asks about your MFA and you say "SMS only," expect follow-up questions.
A zero trust security model assumes no user or device is inherently trustworthy, and MFA is foundational to that architecture. You can't claim zero trust if your admin accounts are protected by a password and a text message.
How Attackers Bypass MFA — and How to Stop Them
MFA isn't a silver bullet. Sophisticated threat actors have developed specific techniques to beat it. Understanding these matters more than the technology itself.
Adversary-in-the-Middle (AiTM) Phishing
An attacker sets up a proxy site that sits between you and the real login page. You enter your password and MFA code into the fake site, which instantly relays both to the real site and captures your authenticated session token. The attacker doesn't need your password again — they have your session.
Defense: Hardware security keys using FIDO2 are immune to this because they validate the actual domain. Authenticator apps are vulnerable. Conditional access policies that check device compliance also help.
MFA Fatigue (Push Bombing)
The attacker already has your password (from a previous data breach or phishing) and triggers dozens of push notifications until you accidentally or deliberately approve one.
Defense: Use number-matching push notifications, which require you to type a displayed number rather than just tapping Approve. Microsoft Entra ID and other identity providers now support this. Also, train your employees to report unexpected MFA prompts immediately.
Social Engineering the Help Desk
Why hack MFA when you can just call IT and ask them to reset it? This is exactly what happened at MGM. The attacker impersonated an employee, convinced the help desk to reset MFA, and walked right in.
Defense: Implement strict identity verification procedures for MFA resets. Require a callback to a known number, a video verification, or an in-person visit for privileged accounts. Your security awareness training needs to cover the help desk specifically — they're a high-value target. Our cybersecurity awareness training platform includes modules that address this exact scenario.
Deploying MFA Without Losing Your Mind (or Your Users)
I've watched MFA rollouts fail not because of technology but because of change management. Here's the playbook that works.
Step 1: Inventory Your Applications
List every application your organization uses that supports MFA. Prioritize email, VPN, cloud storage, financial systems, and admin consoles. Start with the highest-risk systems.
Step 2: Choose Your Identity Provider Wisely
Centralize authentication through a single identity provider (Microsoft Entra ID, Okta, etc.) and enforce MFA at that layer. This is far easier to manage than enabling MFA application by application.
Step 3: Communicate Before You Enforce
Give employees two weeks' notice, clear enrollment instructions with screenshots, and a help desk escalation path. I've seen rollouts go sideways because IT flipped the switch on a Friday afternoon with no warning. Don't be that team.
Step 4: Start with a Pilot Group
Deploy to IT staff first. Then expand to executives and finance. Then all employees. Each wave gives you a chance to identify issues before they become organization-wide problems.
Step 5: Pair MFA with Phishing Training
MFA protects accounts, but it doesn't teach employees to recognize social engineering. You need both. Running regular phishing simulations alongside your MFA rollout reinforces why these controls exist. Our phishing awareness training for organizations is designed to run in parallel with technical deployments like MFA, so employees understand the threats they're being protected against.
Step 6: Monitor and Enforce
Use your identity provider's reporting to track enrollment rates. Set a hard deadline: after a specific date, accounts without MFA get blocked. No exceptions for executives — they're the most targeted people in your organization.
What About Personal Accounts?
Everything in this post applies to your personal life too. Enable MFA on your email, banking, and social media accounts today. According to the FBI's Internet Crime Complaint Center (IC3), business email compromise and personal account takeover consistently rank among the most financially damaging cybercrimes reported each year.
Your personal email is often the recovery address for your work accounts. If an attacker compromises your personal Gmail because it only has a password, they can potentially pivot to your corporate identity. MFA everywhere isn't paranoia — it's hygiene.
MFA and Compliance: What Regulators Expect in 2024
If you operate in a regulated industry, MFA isn't just a best practice — it's a requirement. Here's where things stand:
- HIPAA: The HHS has signaled that MFA is an expected access control for electronic protected health information (ePHI).
- PCI DSS 4.0: Requires MFA for all access to the cardholder data environment, effective March 2025, but organizations should be implementing now.
- FTC Safeguards Rule: Requires MFA for anyone accessing customer financial information — applies to a broader range of businesses than most people realize.
- Cyber Insurance: Nearly every cyber insurance questionnaire in 2024 asks specifically about MFA on email, VPN, and admin accounts. Answering "no" will either increase your premium or get you declined.
The NIST Digital Identity Guidelines (SP 800-63B) provide the technical framework that most of these regulations reference. If you want to understand the standard that regulators use to evaluate your MFA implementation, start there.
The Bottom Line: MFA Is the Highest-ROI Security Control You Can Deploy
After twenty-plus years in this industry, I've never seen a single control that provides as much risk reduction per dollar spent as multi-factor authentication. It won't stop every attack. A determined adversary with enough time and resources can find ways around it. But it eliminates the easy wins — and most attackers are looking for easy wins.
Deploy MFA across every account in your organization. Pair it with security awareness training so your people understand why they're being asked to change their habits. Use phishing-resistant methods for your highest-risk accounts. And monitor enrollment like your job depends on it — because increasingly, it does.
Start with the basics. Get authenticator apps on every employee's phone this month. Then build toward hardware keys for your admins. Every step forward shrinks your attack surface in a measurable, provable way. That's not theory — that's what I've seen work in the real world, over and over again.