Multi-factor authentication (MFA) has quickly become the standard for securing business accounts. Once a niche security measure, adoption is on the rise across industries. But while it’s undeniably effective at keeping bad actors out, the implementation of MFA solutions can be a tangled mess of competing designs and ideas. For businesses and employees, the reality is that MFA sometimes feels like too much of a good thing.
Here are a few reasons why MFA isn’t implemented more universally.
1. Businesses see MFA as a cost center
MFA for businesses isn’t free, and the costs of MFA can add up over time. Third-party MFA solutions come with subscription costs, typically charged per user. Even built-in options like Microsoft 365’s MFA features can cost extra depending on your Microsoft Entra license.
Plus, there’s the cost of training employees to use MFA and the time IT takes to enroll them. If MFA increases help desk calls, support costs go up too. While these expenses are far less than the cost of a security breach ($4.88 million last year), businesses don’t always see that connection clearly.
2. User experience is a persistent pain point
No matter how you slice it, MFA also brings extra steps. After entering a password, users must complete another verification step. This inevitably adds friction. Admins need to consider the form of MFA used, how often it’s required, and balance both with risk.
Combining MFA with SSO can lighten the security burden by allowing users to authenticate once to access multiple apps, rather than logging in separately to each one. This lowers friction for your users, so MFA doesn’t get in the way of work. Beyond SSO, keep end users happy by opting for an MFA platform with flexible policy settings. For example, internal workstation access probably doesn’t need MFA as often as remote access via VPN, RDP, or other external connections.
3. MFA implementation brings hidden pitfalls
Deploying MFA and training users isn’t a small task. The first step is to create and manage a system that keeps things simple — from user enrollment to monitoring MFA activity.
Choose an MFA that plays nicely with your organization’s current identity setup. Securing access to a mix of on-premises Active Directory (AD) and cloud infrastructure can mean managing multiple identities per user, creating management overhead and creating a hybrid identity security gap.
Scalability is also a factor: as the user base grows, can the system keep up? If you’re relying on a third-party MFA service, what happens if it goes down?
Then there’s the issue of connectivity. Many MFA solutions assume users are always online. But what if they’re offline or on an isolated network with limited connectivity? Consider how and where your users log on and evaluate if your MFA should support local prompts to authenticate users, even when their device isn’t connected to the internet.
4. MFA alone isn’t enough
Sure, MFA boosts security, but no MFA method is foolproof. Each approach has its own weaknesses that attackers can exploit. For example, SMS-based MFA (no longer recommended) is vulnerable to SIM-swapping attacks, while push notifications can fall victim to MFA fatigue, where users are bombarded with repeated login requests by attackers who’ve already compromised their passwords.
More advanced attackers have tools to steal session cookies, allowing them to bypass MFA entirely in some situations. SSO, while convenient, can exacerbate the problem — if an attacker breaks through one MFA barrier, they may gain access to multiple applications.
MFA doesn’t have to be this hard
The takeaway is that MFA needs to be part of a broader strategy that includes monitoring and logging to give admins visibility into authentication activities. While MFA is a crucial layer in defending against unauthorized access, deployment will bring challenges. Plan for them. For a successful MFA implementation, understand costs, consider user experience, and take a proactive approach to mitigating its limitations.
