Multi-factor authentication (MFA) blocks 99.9% of automated credential attacks according to Microsoft research. It is the single highest-return security control available to any business — and it is required by virtually every cyber insurance carrier, compliance framework, and regulated industry operating in Ohio. This guide explains what MFA is, how it works, and how to implement it correctly.
Multi-factor authentication requires users to verify their identity using two or more factors from different categories: something you know (password), something you have (a phone or hardware token), or something you are (biometric). Requiring two factors means that even if an attacker has your password — through phishing, a data breach, or credential stuffing — they cannot access your account without also having your second factor.
The practical impact: 99.9% of automated credential stuffing attacks and password sprays fail immediately when MFA is enforced. For the human-operated attacks that make up the remainder, MFA significantly raises the cost and complexity of compromise.
Authenticator app (TOTP) — time-based one-time codes generated by apps like Google Authenticator or Microsoft Authenticator. Strong, free, and widely supported. Best choice for most business applications.
Push notification — a request sent to your phone that you approve or deny. Convenient but vulnerable to MFA fatigue attacks (repeated requests until the user accidentally approves). Cisco Duo's number matching feature mitigates this risk.
Hardware token (FIDO2/WebAuthn) — physical security keys like YubiKey. The strongest form of MFA — phishing-resistant because the key cryptographically verifies the site domain. Required for highest-security environments.
SMS text codes — weakest form of MFA. Vulnerable to SIM swapping. Avoid where possible; use only as a last resort.
Securafy deploys Cisco Duo MFA across all clients as part of every service tier. Duo enforces MFA on all remote access, VPN, Microsoft 365, and business application sign-ins. Adaptive policies apply additional friction for risky sign-in signals — unusual locations, new devices, or off-hours access — automatically. Number matching is enabled by default to prevent MFA fatigue attacks.
Yes. Virtually all cyber insurance carriers now require MFA as a baseline condition of coverage. Carriers that discover MFA was not enforced at the time of a claim frequently deny coverage or apply exclusions. Many carriers now ask specifically about MFA enforcement on remote access, email, and privileged accounts on renewal applications.
An MFA fatigue (or MFA bombing) attack occurs when an attacker who has stolen credentials repeatedly sends MFA push notifications to the victim, hoping they will approve one accidentally or out of frustration. The defense is to enable number matching in your authenticator app (the user must type a number shown on the login screen into the app) and to train employees to never approve unexpected MFA requests.
SMS-based MFA is better than no MFA, but it is the weakest available form. SIM swapping attacks allow attackers to redirect SMS messages to a new SIM card. For business accounts — especially administrator accounts, financial systems, and remote access — authenticator apps or hardware tokens are strongly preferred over SMS.
Securafy can deploy Cisco Duo MFA across a typical 10–50 person environment in a single day. The process includes configuring Duo, enrolling all users, setting policies for each application, and testing before go-live. Securafy handles the entire deployment as part of onboarding.
Start with a free 47-point security and network assessment — no obligation, no upsell.
Book a Free Strategy Call → 📞 (330) 906-8888