Enterprise Networking Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Multi-factor authentication (MFA) is of paramount importance for every business today, especially because cyberattacks are increasingly sophisticated and target organizations of all sizes. The key factor that often distinguishes between protecting your sensitive data and suffering a costly breach is MFA.
Even so, it may not always be clear what the best use for MFA might be — in other words, when it’s helpful or even necessary, and when it’s not. After all, too much dependence on complex login processes for every single app and website can start to cut into employee productivity and morale.
To help you get a better sense of where and how to use MFA in your organization — as well as which type of MFA works best — here are seven examples of MFA use cases you might encounter in the workplace.
Table of Contents
1. Logging into a company bank account
Imagine you work for a company with an online bank account. You typically access it using a username and password. One day, you receive an email that appears to be from your bank, requesting you to click a link and verify your account details. Believing it’s legitimate, you click the link and enter your login information, unaware it’s a phishing attack.
Actually, a hacker sent the email aiming to steal your password. Now, they have it, granting them access to your account.
This scenario illustrates how hackers can gain access to your password and compromise your accounts. That’s where MFA comes in. It ensures that you are genuinely you when signing in by requiring something in addition to your password, such as your phone, a card, or your fingerprint. This added security makes it significantly more difficult for unauthorized individuals to hack into your account, and safeguards your company’s finances and data from potential hackers.
Recommended MFA tool: Authenticator apps
All MFA tools help to improve security, but some types are better suited for certain situations than others.
For instance, for logging into a company bank account, authenticator apps like Google Authenticator, LastPass Authenticator, Microsoft Authenticator, or Authy are a great choice.
On the other hand, physical keys are not the best option.
| Recommended MFA tool: Authenticator apps | Not recommended: Physical keys |
|---|---|
| • Provide a balanced combination of security and convenience. | • More hassle than they are worth for bank account logins. |
| • Easy to set up and use, and suitable for most devices and services. | • Require carrying an extra device at all times. |
| • Offer protection against phishing and account takeover attacks. | • May not work with all banks or devices. |
| • Pose a risk of losing access to accounts if the key is lost or damaged. |
2. Logging into a company customer database
Let’s say you work for a reputable insurance company that relies heavily on its customer database. This database contains extensive policyholder information, including personal details and financial records. One day, a hacker gains access to an employee’s login credentials through a sophisticated phishing attack.
The attacker steals credentials and logs in, creating a single point of vulnerability. They can then manipulate or steal sensitive customer data. This unauthorized access risks customer privacy and exposes the company to data breaches, financial losses, and regulatory penalties.
The cybercriminal can also use the data to impersonate policyholders and carry out fraudulent transactions, harming both customers and the company’s reputation. MFA is essential to safeguard customer databases in this situation.
Recommended MFA tool: Physical keys
While any form of MFA is better than none, it’s important to choose the most secure and practical option based on your organization’s specific needs and capabilities.
Physical keys such as Yubico Security Keys are the most ideal MFA tool for securing customer databases, while SMS- and voice-call-based MFAs might not be as reliable.
| Recommended MFA tool: Physical keys | Not recommended: SMS and voice-based MFA |
|---|---|
| • 100% effective at preventing account takeovers due to automated bots, bulk phishing, and targeted attacks, according to Google Security Blog. | • SMS and voice calls transmit information in cleartext, making it easily interceptable. |
| • Difficult to intercept because attackers need both compromised credentials and physical access to the user’s device. | • Attackers can use techniques and tools like software-defined radios, FEMTO cells, or SS7 intercept services to intercept calls. |
| • Requires authentication with a physical device that’s difficult to steal or duplicate. | • Vulnerable to SIM swapping attacks where attackers trick phone network employees. |
| • Plug-and-play functionality simplifies the MFA process, providing quick access to resources. | • Susceptible to changing regulations, downtimes, and performance issues affecting availability. |
3. Accessing CRM software
Suppose you are a marketing manager using a CRM like Salesforce to track customer interactions. You store valuable information about your customers, such as their demographics, interests, and feedback, to create targeted campaigns and improve customer satisfaction.
One day, you download a file infected with a keylogger by mistake. The malicious software records everything you type on your keyboard, including your passwords and other confidential information.
If the hacker has a keylogger on your device, they can capture your Salesforce login credentials and use them to access your customer data. They can also spy on your activities and steal other sensitive information from your device.
However, if you have activated MFA, the hacker cannot log in to your CRM account with just your password. They need another verification factor, preventing them from accessing your customer data and protecting your device from further damage.
Recommended MFA tool: Salesforce Authenticator
Authentication apps, particularly Salesforce Authenticator, are your best bet in this scenario. Salesforce Authenticator is a frictionless solution that makes MFA verification easy via simple push notifications that integrate into your Salesforce login process.
Out of all the MFA examples, though, security questions are not the most effective choice of defense for accessing CRM platforms.
| Recommended MFA tool: Salesforce Authenticator app | Not recommended: Security questions |
|---|---|
| • Push notifications enable fast access and reduce manual input into your keyboard that is vulnerable to keyloggers. | • Predictability of personal information. |
| • Automates authentication only from trusted locations. | • Keyloggers can capture the answers when you set up the security questions or when you enter them for authentication. |
| • Has offline time-based one-time passwords (TOTPs) that allow you to log in to your accounts without an internet connection. | • Have a static nature that makes them more vulnerable if they are compromised. |
| • TOTPs expire quickly, making it harder for a keylogger to exploit. | • Users may forget their answers over time, especially if they don’t use the security questions frequently. |
4. Logging into HR software
Picture yourself as an HR manager working for a company utilizing intranet software for managing employee information, payroll, benefits, and performance reviews. You log into the system with your username and password, granting access to employee personal information, salaries, bank accounts, and tax forms.
You receive an email that seems to originate from your IT department, urging you to update your password due to a security issue. Trusting this email, you click the link and enter your current and new passwords.
Unbeknownst to you, this is an email phishing attempt, and the link directs you to a counterfeit website that captures your login credentials. The hacker who sent the email now possesses your username and password, gaining the ability to log in to your intranet as if they were you.
The hacker can carry out various actions that could harm your company and its employees. They might steal or leak confidential data, manipulate payroll or benefits information, tamper with performance reviews, or even impersonate you to send malicious emails to other staff members. This could result in financial losses, legal liabilities, or reputational damage.
With MFA enabled for your intranet account, the hacker can’t log in as you with just your username and password. Unless they also have access to other verification factors, the system will block them from getting into your account.
Recommended MFA tool: Biometric verification
Biometric verification is highly secure and convenient, as it uses your unique physical or behavioral characteristics to verify your identity. Furthermore, you do not need to remember or enter any codes or carry any extra devices, making it convenient for quick logins. There are many providers facilitating highly secure MFA options, including biometric verification, namely 1Password, Nordpass, and Bitwarden.
For this scenario, SMS-based MFAs are not the most secure choice. There are several vulnerabilities associated with SMS-based MFA, including lack of encryption, network outages, SS7 attacks, social engineering, and SIM-swapping.
| Recommended MFA tool: Biometric authentication | Not recommended: SMS-based MFA |
|---|---|
| • Secure and convenient. | • Prone to network-related issues in some areas. |
| • Uses unique physical or behavioral characteristics for identity verification. | • Vulnerable to SIM swapping attacks and phishing scams. |
| • Eliminates the need to remember or enter codes. | • Less secure due to potential interception risks. |
| • No extra devices to carry. |
5. Accessing proprietary software
Proprietary software often contains valuable information, such as trade secrets and intellectual property, which must remain secure from unauthorized access.
Consider the scenario of a software engineer working on a project utilizing GitHub, a platform for code collaboration, management, and application deployment. If the engineer only uses a username and password to access GitHub, a hacker could potentially jeopardize these credentials through phishing, keylogging, or credential stuffing. Subsequently, the hacker could gain entry to the engineer’s code repository, leading to potential consequences like data theft, code manipulation, or malicious alterations.
However, MFA greatly complicates the hacker’s attempts to impersonate the engineer and access their GitHub account by requiring the security key, the engineer’s phone, or access to their authentication app. MFA serves as a deterrent to this form of attack, safeguarding access to proprietary software and preserving integrity.
Recommended MFA tool: Security keys
Physical security keys are recommended MFA tools in this scenario due to their superior security capabilities with support for multiple forms of authentication, including universal second factor (U2F) and the FIDO2 standard.
MFA tools that do not support open standards, such as TOTPs, are the least effective tools for this situation.
| Recommended MFA tool: Security Keys | Not recommended: MFA not supporting open standards |
|---|---|
| • Resistant to phishing attacks and credential theft. | • Relies on OTP tokens, which are not as secure as some alternatives. |
| • Requires physical interaction for authentication. | • Vulnerable to phishing attacks, especially when compared to FIDO2/WebAuthn-based methods. |
| • Added convenience due to quick physical action (e.g., inserting the key) instead of entering codes or security questions. | • Lacks support for open standards like FIDO2/WebAuthn. |
| • No dependence on mobile networks. | • May not meet strong security and compliance requirements. |
| • Supports open standards such as FIDO2/WebAuthn. | |
| • Facilitates passwordless or PIN-based authentication. | |
| • Helps meet regulatory requirements for strong authentication and data protection. | |
| • Particularly relevant for proprietary software and sensitive code repositories. |
6. Remote access
In this situation, your healthcare organization banks heavily on remote access for doctors and administrative staff to access patient records and medical systems. An attacker, impersonating a trusted source like a colleague or a medical association, sends a malicious email to one of your doctors. The email contains a fake login page closely resembling your organization’s remote access portal.
Without the protection of MFA, if the doctor falls prey to this phishing attack and unknowingly inputs their username and password, the attacker gains unauthorized access to sensitive patient data and medical systems. This breach has the potential to result in violations of patient confidentiality, legal liabilities, and harm to your organization’s reputation.
However, with MFA activated, even if the attacker acquires the doctor’s login credentials, they will be unable to access the system without the additional authentication factor, for instance, biometric factors such as fingerprint.
Recommended MFA tool: Fingerprint
We highly recommend fingerprint scanning as a reliable authentication method for securing remote access in healthcare settings. It provides an excellent and user-friendly solution for safeguarding sensitive patient data and maintaining compliance.
Using email-based MFA is not recommended because it can cause security delays and inconvenience to users.
| Recommended MFA tool: Fingerprint | Not recommended: Email-based MFA |
|---|---|
| • Fingerprint patterns are unique, making replication virtually impossible. | • Introduces potential delays in the authentication process. |
| • Ensures non-repudiation and the integrity of healthcare records. | • Users may need to switch to their email application to retrieve codes or links. |
| • Quick and user-friendly method with no code memorization required. | • Inconvenient, especially in time-sensitive healthcare situations. |
| • Seamlessly integrates into devices and promotes hygiene in infection-sensitive environments. | |
| • Aligns with healthcare regulations, like HIPAA. | |
| • Cost-effective once the initial hardware is in place. | |
| • Reduces the risk of unauthorized access, as fingerprints can’t be forgotten or stolen. |
7. Accessing cloud-based services
Your company utilizes cloud-based collaboration tools similar to Microsoft 365 or Google Workspace for email communication, document sharing, and project management. In this scenario, the threat is a brute force or password-guessing attack.
If the attacker gains access to a list of usernames (possibly through a data breach elsewhere) and attempts to guess passwords, they can potentially put accounts that do not have MFA enabled at risk. The likelihood of the attacker’s success increases when many users reuse passwords across multiple services.
By enabling MFA, you can protect your account more effectively. MFA counters brute force attacks and prevents unauthorized access, even when someone compromises your passwords. An attacker cannot access your account without the additional factors that only you have, such as a smartphone with a time-based authentication code.
Recommended MFA tool: Phishing-resistant MFA
In the case of cloud-based collaboration tools, we recommend app-based authentication using TOTP or tokens. You may also want to consider an enterprise password manager like 1Password, Dashlane, or Keeper. Be careful, though: avoid using app-based authentication that relies only on push notifications without number matching, as they are less secure and vulnerable to phishing and push-bombing attacks, where an attacker repeatedly sends push requests until the user clicks accept.
| Recommended MFA tool: TOTP and token-based apps | Not recommended: Push notifications without number matching |
|---|---|
| • Utilizes advanced biometric authentication, hardware tokens, or push notification methods, making it difficult for attackers to impersonate users or access their accounts. | • No verification step after user accepts the prompt, leaving room for user error. |
| • Effectively defends against password spraying and brute force attacks by distinguishing between real and fake domains created by attackers and cryptographically binding the authenticator to the domain. | • Vulnerable to phishing, spoofing, and push bombing. |
| • Guards against attacks based on credential leakage from third-party websites (password stuffing). | • Ineffective against advanced attack techniques like reverse-proxy-based frameworks. |
Bottom Line: MFA is a universal need for cybersecurity in any industry
Organizations can enforce using different MFA methods, such as SMS codes, email links, biometrics, or hardware tokens. By implementing multiple MFA examples, your business can enhance its network security, comply with regulations, and improve customer trust.
MFA can also bring many benefits to businesses in terms of cost savings, customer loyalty, and competitive advantage. Additionally, MFA can increase customer trust and satisfaction, as they feel more secure and confident when using your services or products.
Finally, it can give you an edge over your competitors by demonstrating your commitment to protecting your customers’ data and privacy. Enforcing MFA across your organization can differentiate you from the crowd and gain a positive reputation in the market.
Ready to start using MFA? Read our MFA setup guide that walks you through getting started on some of the most common platforms.
