Breaches are not a matter of if but when, which is why relying solely on passwords is a dangerous oversight. As the Product Security Manager for Harmony SASE, I’ve seen the destruction firsthand, and I’m here to tell you that MFA is not just “good practice” — it’s the absolute minimum standard of care.
Why MFA? Because Your Passwords Are Already Compromised
Let’s start with the why. If you think your users’ passwords are secret, think again. Credential dumps from breached companies are traded daily on the dark web. Password reuse is rampant. Phishing attacks are more sophisticated than ever, and employees are fallible — always have been, always will be.
Attackers don’t “hack” most systems today. They log in using stolen credentials obtained through phishing, social engineering, credential stuffing, or simple brute force attacks. Once inside, they move laterally, escalate privileges, and exfiltrate data, often going unnoticed for months.
Without MFA, a username and password become a single point of failure. Breach that, and the doors are wide open. MFA is not foolproof, but it escalates the complexity of the attack and forces malicious actors to compromise an additional factor that is not so easy to obtain. MFA is often tied to something you have (like a smartphone or hardware token) or something you are (like a fingerprint) — sometimes both. It raises the difficulty level enough that many cyber criminals won’t even bother trying.
What MFA Is, and What It Is Not
MFA isn’t just another box to check. Done right, it’s a strategic shield. Done wrong, it’s a bureaucratic inconvenience that frustrates users and invites workarounds.
What MFA is:
- A layered defense mechanism requiring multiple forms of verification before granting access.
- A massive deterrent against phishing, credential stuffing, and brute force attacks.
- An enabler of zero trust architectures, because it verifies identity dynamically.
What MFA is NOT:
- A “silver bullet” that makes your environment breach-proof. It’s part of a broader defense-in-depth strategy.
- Immune to social engineering — attackers now use MFA fatigue attacks to overwhelm users with push notifications until they approve access, for example.
- Something you “deploy and forget.” It needs continuous evaluation as threat actors adapt.
Partial MFA coverage creates dangerous blind spots in your security strategy.
How to Implement MFA the Right Way
Deploying MFA poorly can cause friction, create security gaps, and breed resentment among your users. You need to get it right — without compromise.
- Start with risk prioritization, then go global.
Begin with the highest-risk systems: remote access (VPNs, SaaS applications, email platforms), privileged accounts (domain admins, database admins), and cloud environments. But don’t stop there. Every identity is a potential attack vector. Your end goal must be universal MFA across all accounts, not just the “important” ones.
- Choose strong MFA methods.
Not all factors are created equal. SMS-based authentication is better than nothing and in rare cases may be necessary due to practical constraints, but it’s very susceptible to SIM-swapping attacks and interception.
Prioritize stronger methods like:
- Authenticator apps (e.g., Microsoft Authenticator, Google Authenticator).
- Hardware security keys (e.g., YubiKeys, Titan Keys).
- Biometric authentication tied to secured devices.
The key is to eliminate reliance on vulnerable forms of MFA wherever possible.
- Make it seamless, not painful.
Security and usability are not enemies. Adopt MFA solutions that integrate with single sign-on (SSO) platforms to minimize repeated prompts. Implement adaptive MFA: trust known devices and locations but challenge new or risky ones. Reduce user friction without sacrificing security.
- Educate relentlessly.
Even the best MFA solution will fail if users don’t understand it or see it as “optional.” Conduct training sessions. Make MFA part of your onboarding process. Explain the stakes clearly: a compromised account could cost jobs, reputations, and millions of dollars.
- Monitor and audit continuously.
Attackers evolve. So must your defenses. Monitor MFA enrollment and usage. Audit for coverage gaps regularly. Set policies to block access from non-compliant users. Treat MFA logs as critical telemetry for your security operations center (SOC).
- Plan for exceptions — but don’t let them be exploits.
There will always be edge cases: users without smartphones, service accounts that can’t handle MFA, legacy systems. Build exception processes — but make them painful enough that nobody seeks exemptions lightly. Temporary bypasses should expire automatically. Service accounts should be re-architected with modern authentication standards wherever possible.
Resilience Starts Here
The path to a modern, resilient organization is not forcing users to come up with more complex passwords; it’s built on a foundation of verified identity. Without universal MFA, organizations accept a fragile, single point of failure as their primary defense.
Implementing MFA correctly—as a seamless, strategic shield—is one of the highest-impact security decisions you can make. Build a culture of security and enable your business to operate with confidence in an insecure world. Secure every identity, everywhere