<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Multi-Factor_Authentication_%28MFA%29</id>
	<title>Multi-Factor Authentication (MFA) - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Multi-Factor_Authentication_%28MFA%29"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Multi-Factor_Authentication_(MFA)&amp;action=history"/>
	<updated>2026-07-11T14:06:39Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=Multi-Factor_Authentication_(MFA)&amp;diff=425&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;&#039;&#039;&#039;Summary:&#039;&#039;&#039; Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more independent forms of authentication before access is granted. MFA significantly reduces the risk of compromise caused by stolen passwords and has become a fundamental component of modern identity and access management strategies.  == Context ==  For many years, usernames and passwords were the primary method of authentication. While simple and widely suppor...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Multi-Factor_Authentication_(MFA)&amp;diff=425&amp;oldid=prev"/>
		<updated>2026-07-06T06:39:27Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more independent forms of authentication before access is granted. MFA significantly reduces the risk of compromise caused by stolen passwords and has become a fundamental component of modern identity and access management strategies.  == Context ==  For many years, usernames and passwords were the primary method of authentication. While simple and widely suppor...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more independent forms of authentication before access is granted. MFA significantly reduces the risk of compromise caused by stolen passwords and has become a fundamental component of modern identity and access management strategies.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
For many years, usernames and passwords were the primary method of authentication. While simple and widely supported, passwords alone suffer from numerous weaknesses including phishing, password reuse, credential stuffing, brute force attacks, and accidental disclosure.&lt;br /&gt;
&lt;br /&gt;
MFA addresses these weaknesses by requiring additional evidence that the user is who they claim to be.&lt;br /&gt;
&lt;br /&gt;
A successful MFA implementation can greatly reduce the likelihood that a compromised password alone will result in unauthorized access.&lt;br /&gt;
&lt;br /&gt;
=== Real-World Usage ===&lt;br /&gt;
&lt;br /&gt;
MFA is commonly used for:&lt;br /&gt;
&lt;br /&gt;
* Microsoft 365&lt;br /&gt;
* Cloud services&lt;br /&gt;
* Virtual Private Networks (VPNs)&lt;br /&gt;
* Remote Desktop Services (RDS)&lt;br /&gt;
* Administrative accounts&lt;br /&gt;
* Banking platforms&lt;br /&gt;
* Customer portals&lt;br /&gt;
* Privileged infrastructure access&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
* MFA makes systems impossible to compromise.&lt;br /&gt;
* MFA only applies to cloud platforms.&lt;br /&gt;
* SMS-based MFA is always secure.&lt;br /&gt;
* MFA eliminates the need for strong passwords.&lt;br /&gt;
* MFA is only required for administrators.&lt;br /&gt;
&lt;br /&gt;
In reality, MFA significantly increases security but remains one layer within a broader defence strategy.&lt;br /&gt;
&lt;br /&gt;
=== Typical Failure Points ===&lt;br /&gt;
&lt;br /&gt;
* Users enrolling incorrect devices.&lt;br /&gt;
* Lost or replaced mobiles.&lt;br /&gt;
* Poor recovery procedures.&lt;br /&gt;
* Legacy applications that cannot perform modern authentication.&lt;br /&gt;
* Overreliance on SMS authentication.&lt;br /&gt;
* MFA fatigue attacks.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Authentication Factors ===&lt;br /&gt;
&lt;br /&gt;
Authentication factors are traditionally divided into categories:&lt;br /&gt;
&lt;br /&gt;
==== Something You Know ====&lt;br /&gt;
&lt;br /&gt;
Knowledge-based factors include:&lt;br /&gt;
&lt;br /&gt;
* Passwords&lt;br /&gt;
* PIN numbers&lt;br /&gt;
* Security phrases&lt;br /&gt;
&lt;br /&gt;
==== Something You Have ====&lt;br /&gt;
&lt;br /&gt;
Possession-based factors include:&lt;br /&gt;
&lt;br /&gt;
* Mobile authentication applications&lt;br /&gt;
* Hardware tokens&lt;br /&gt;
* Smart cards&lt;br /&gt;
* FIDO2 security keys&lt;br /&gt;
&lt;br /&gt;
==== Something You Are ====&lt;br /&gt;
&lt;br /&gt;
Biometric factors include:&lt;br /&gt;
&lt;br /&gt;
* Fingerprints&lt;br /&gt;
* Facial recognition&lt;br /&gt;
* Iris recognition&lt;br /&gt;
* Voice recognition&lt;br /&gt;
&lt;br /&gt;
=== Multi-Factor vs Two-Factor Authentication ===&lt;br /&gt;
&lt;br /&gt;
Two-Factor Authentication (2FA) requires two distinct factors.&lt;br /&gt;
&lt;br /&gt;
Multi-Factor Authentication extends this concept and may require multiple independent factors depending on policy, risk level, location, or device trust.&lt;br /&gt;
&lt;br /&gt;
All 2FA implementations are MFA, but not all MFA implementations are limited to two factors.&lt;br /&gt;
&lt;br /&gt;
== Core Authentication Methods ==&lt;br /&gt;
&lt;br /&gt;
=== SMS One-Time Passcodes ===&lt;br /&gt;
&lt;br /&gt;
The user receives a temporary verification code by text message.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Simple deployment&lt;br /&gt;
* No application installation required&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Vulnerable to SIM-swap attacks&lt;br /&gt;
* Dependent on mobile coverage&lt;br /&gt;
* Less secure than modern alternatives&lt;br /&gt;
&lt;br /&gt;
=== Authenticator Applications ===&lt;br /&gt;
&lt;br /&gt;
Applications generate time-based one-time passcodes (TOTP).&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Authenticator&lt;br /&gt;
* Google Authenticator&lt;br /&gt;
* Authy&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* More secure than SMS&lt;br /&gt;
* Works offline&lt;br /&gt;
* Simple user experience&lt;br /&gt;
&lt;br /&gt;
=== Push Notifications ===&lt;br /&gt;
&lt;br /&gt;
The user receives an approval request on a registered device.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* User friendly&lt;br /&gt;
* Fast authentication process&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Vulnerable to MFA fatigue attacks if poorly configured&lt;br /&gt;
&lt;br /&gt;
=== Hardware Security Keys ===&lt;br /&gt;
&lt;br /&gt;
Physical authentication devices based on standards such as FIDO2 and WebAuthn.&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
&lt;br /&gt;
* Resistant to phishing&lt;br /&gt;
* Strong cryptographic protection&lt;br /&gt;
* No reliance on cellular networks&lt;br /&gt;
&lt;br /&gt;
Disadvantages:&lt;br /&gt;
&lt;br /&gt;
* Hardware cost&lt;br /&gt;
* Device management requirements&lt;br /&gt;
&lt;br /&gt;
=== Smart Cards and Certificates ===&lt;br /&gt;
&lt;br /&gt;
Widely used in government, healthcare, military, and enterprise environments.&lt;br /&gt;
&lt;br /&gt;
Authentication is based upon possession of a certificate and associated private key.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Small Business Deployment ===&lt;br /&gt;
&lt;br /&gt;
A typical deployment may require:&lt;br /&gt;
&lt;br /&gt;
* Password&lt;br /&gt;
* Mobile authenticator application&lt;br /&gt;
* Recovery methods&lt;br /&gt;
&lt;br /&gt;
This provides substantial protection with minimal infrastructure requirements.&lt;br /&gt;
&lt;br /&gt;
=== Enterprise Deployment ===&lt;br /&gt;
&lt;br /&gt;
Larger organizations often combine:&lt;br /&gt;
&lt;br /&gt;
* Conditional Access policies&lt;br /&gt;
* Device compliance checks&lt;br /&gt;
* MFA enforcement&lt;br /&gt;
* Identity protection systems&lt;br /&gt;
* Privileged access controls&lt;br /&gt;
&lt;br /&gt;
Access decisions become risk-based rather than relying solely on static credentials.&lt;br /&gt;
&lt;br /&gt;
=== Administrative Accounts ===&lt;br /&gt;
&lt;br /&gt;
Administrative accounts should always be protected by MFA.&lt;br /&gt;
&lt;br /&gt;
Recommended approaches include:&lt;br /&gt;
&lt;br /&gt;
* Hardware security keys&lt;br /&gt;
* Certificate-based authentication&lt;br /&gt;
* Dedicated administrative accounts&lt;br /&gt;
* Privileged access workstations&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Treating MFA as a Silver Bullet ===&lt;br /&gt;
&lt;br /&gt;
MFA is highly effective but does not prevent:&lt;br /&gt;
&lt;br /&gt;
* Malware infections&lt;br /&gt;
* Session hijacking&lt;br /&gt;
* Insider threats&lt;br /&gt;
* Compromised endpoints&lt;br /&gt;
&lt;br /&gt;
=== Weak Recovery Processes ===&lt;br /&gt;
&lt;br /&gt;
Many organizations secure authentication but leave account recovery procedures vulnerable.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Helpdesk password resets without verification&lt;br /&gt;
* Shared recovery email addresses&lt;br /&gt;
* Uncontrolled break-glass accounts&lt;br /&gt;
&lt;br /&gt;
=== MFA Fatigue Attacks ===&lt;br /&gt;
&lt;br /&gt;
Attackers repeatedly trigger authentication prompts hoping users will eventually approve one.&lt;br /&gt;
&lt;br /&gt;
Mitigations include:&lt;br /&gt;
&lt;br /&gt;
* Number matching&lt;br /&gt;
* Geographic verification&lt;br /&gt;
* User training&lt;br /&gt;
* Risk-based sign-in controls&lt;br /&gt;
&lt;br /&gt;
=== Legacy Systems ===&lt;br /&gt;
&lt;br /&gt;
Older applications may rely on:&lt;br /&gt;
&lt;br /&gt;
* Basic authentication&lt;br /&gt;
* POP3&lt;br /&gt;
* IMAP&lt;br /&gt;
* Legacy APIs&lt;br /&gt;
&lt;br /&gt;
These systems often require modernization before MFA can be fully implemented.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Security ===&lt;br /&gt;
&lt;br /&gt;
Prioritize phishing-resistant authentication where possible.&lt;br /&gt;
&lt;br /&gt;
Preferred order:&lt;br /&gt;
&lt;br /&gt;
# FIDO2 Security Keys&lt;br /&gt;
# Certificate-Based Authentication&lt;br /&gt;
# Authenticator Applications&lt;br /&gt;
# SMS Authentication&lt;br /&gt;
&lt;br /&gt;
=== Scalability ===&lt;br /&gt;
&lt;br /&gt;
Consider:&lt;br /&gt;
&lt;br /&gt;
* Enrollment processes&lt;br /&gt;
* Device lifecycle management&lt;br /&gt;
* Self-service registration&lt;br /&gt;
* Self-service password reset&lt;br /&gt;
&lt;br /&gt;
=== Maintainability ===&lt;br /&gt;
&lt;br /&gt;
Successful deployments require:&lt;br /&gt;
&lt;br /&gt;
* Documented procedures&lt;br /&gt;
* User training&lt;br /&gt;
* Disaster recovery planning&lt;br /&gt;
* Recovery code management&lt;br /&gt;
&lt;br /&gt;
=== Backwards Compatibility ===&lt;br /&gt;
&lt;br /&gt;
Some environments must support legacy systems temporarily.&lt;br /&gt;
&lt;br /&gt;
Where modernization is not immediately possible:&lt;br /&gt;
&lt;br /&gt;
* Isolate legacy systems&lt;br /&gt;
* Restrict network access&lt;br /&gt;
* Monitor authentication activity&lt;br /&gt;
* Plan migration away from legacy protocols&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== User Cannot Receive Authentication Prompt ===&lt;br /&gt;
&lt;br /&gt;
Check:&lt;br /&gt;
&lt;br /&gt;
* Device registration status&lt;br /&gt;
* Internet connectivity&lt;br /&gt;
* Authenticator application health&lt;br /&gt;
* Notification permissions&lt;br /&gt;
&lt;br /&gt;
=== User Replaced Their Mobile Device ===&lt;br /&gt;
&lt;br /&gt;
Verify:&lt;br /&gt;
&lt;br /&gt;
* Recovery methods exist&lt;br /&gt;
* Secondary authentication factors are available&lt;br /&gt;
* Enrollment process is documented&lt;br /&gt;
&lt;br /&gt;
=== Authentication Works for Some Services Only ===&lt;br /&gt;
&lt;br /&gt;
Investigate:&lt;br /&gt;
&lt;br /&gt;
* Conditional Access policies&lt;br /&gt;
* Legacy authentication usage&lt;br /&gt;
* Application compatibility&lt;br /&gt;
* Federation configuration&lt;br /&gt;
&lt;br /&gt;
=== Unexpected MFA Challenges ===&lt;br /&gt;
&lt;br /&gt;
Review:&lt;br /&gt;
&lt;br /&gt;
* User location&lt;br /&gt;
* Device trust state&lt;br /&gt;
* Risk policies&lt;br /&gt;
* Recent identity protection alerts&lt;br /&gt;
&lt;br /&gt;
== Architectural Overview ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
+------------------+&lt;br /&gt;
| User             |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| Identity System  |&lt;br /&gt;
| (Azure AD / IdP) |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| Password Check   |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| MFA Challenge    |&lt;br /&gt;
| Push / Token     |&lt;br /&gt;
| Key / Biometrics |&lt;br /&gt;
+--------+---------+&lt;br /&gt;
         |&lt;br /&gt;
         v&lt;br /&gt;
+------------------+&lt;br /&gt;
| Access Granted   |&lt;br /&gt;
+------------------+&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Best Practices ==&lt;br /&gt;
&lt;br /&gt;
* Enforce MFA for all users.&lt;br /&gt;
* Require stronger methods for privileged accounts.&lt;br /&gt;
* Use phishing-resistant authentication where possible.&lt;br /&gt;
* Disable legacy authentication protocols.&lt;br /&gt;
* Implement Conditional Access policies.&lt;br /&gt;
* Test account recovery procedures regularly.&lt;br /&gt;
* Monitor sign-in logs and authentication anomalies.&lt;br /&gt;
* Educate users about phishing and MFA fatigue attacks.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Identity and Access Management]]&lt;br /&gt;
* [[Conditional Access]]&lt;br /&gt;
* [[Single Sign-On]]&lt;br /&gt;
* [[Passwordless Authentication]]&lt;br /&gt;
* [[Public Key Infrastructure]]&lt;br /&gt;
* [[Zero Trust Architecture]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* FIDO2 Specifications&lt;br /&gt;
* WebAuthn Standards&lt;br /&gt;
* NIST Digital Identity Guidelines&lt;br /&gt;
* Microsoft Entra ID Documentation&lt;br /&gt;
* RFC 6238 (Time-Based One-Time Password Algorithm)&lt;br /&gt;
&lt;br /&gt;
&amp;lt;!--&lt;br /&gt;
Category: Security&lt;br /&gt;
Audience: Technical / Architectural&lt;br /&gt;
Depth: Intermediate&lt;br /&gt;
Last Reviewed: 2026-07-06&lt;br /&gt;
--&amp;gt;&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>