Cybersecurity insights from industry experts.

Is MFA the Vegetable of Cybersecurity?

Multifactor authentification is crucial for creating a healthy cybersecurity posture, but many companies are slow to adopt.

Andrea Fisher, Security Specialist, Microsoft

December 1, 2022

3 Min Read
Photo of two unhappy little boys refusing to eat their vegetables at the dinner table
Source: Panther Media GmbH via Alamy Stock Photo

Like it or not, vegetables are good for us. They reduce our risk of chronic diseases and deliver the vitamins our bodies need. And yet the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should. 

Companies are the same when it comes to security.

There are 921 password attacks every second — almost double what we saw a year ago. Basic security hygiene like multifactor authentication (MFA) can protect against 98% of attacks, but most companies aren't using it. Enabling MFA adds another layer of protection to prevent threat actors from accessing internal networks. But if strengthening a company’s cybersecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

What’s Stopping Companies From Enabling MFA?

Although every enterprise is different, the reasons they don’t deploy MFA boil down to a few common trends.

  • MFA costs too much: Security team resources are already limited, so adding an additional tool to their portfolios can be a tough sell. Luckily, some security providers offer MFA for free as part of their security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

  • They think their users will hate MFA: Users want to be productive wherever and whenever they are working without sacrificing their organization’s security. Conditional access is one modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, security programs can look at several different elements to determine whether something has changed or is unusual about this user before prompting them. It looks at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong.

End users can also choose how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like an app or specific security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.

MFA’s Too Hard to Deploy

Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. However, organizations can leverage conditional access policies to protect cloud implementations, as opposed to relying on a physical server or software.

We’ve recently added conditional access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin” or “Require password change for high-risk users.” Cloud service providers often offer a list of recommended policies, and organizations can target conditional access policies to a specific set of users, apps, or devices to easily deploy different policies at scale.

Ultimately, an enterprise must be able to protect its own operations — and its users — from ongoing cybersecurity threats. Enabling MFA is just one tool in a security team’s kit.

Read more Partner Perspectives from Microsoft.

Read more about:

Partner Perspectives

About the Author

Andrea Fisher

Security Specialist, Microsoft

Andrea Fisher has been a security specialist at Microsoft for over 10 years and in the IT field for more than 25 years. She graduated from the University of South Florida and has a masters in creative writing from the University of Southern Maine. She currently lives in Tampa, Fla., and spends too much time watching Netflix and reading sci-fi novels.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights