Security Basics

MFA Explained (Without the Panic)

Multi-factor authentication is essential, but it's not a magic shield. Here's what it stops, what it doesn't, and what to do next.

The simple definition

MFA adds a second proof that it's really you signing in. That's it. It's one of the highest-impact security controls you can deploy, but it doesn't replace good identity hygiene, endpoint protection, or backup readiness.

.
Marc Vaccaro
Jun 18 · 6 min read
Quick take

If you turn on MFA and stop there, you'll still be exposed to session hijacking, risky device access, and over-permissioned accounts.

.
Photo Credit: Unsplash
Best for
Stopping password-only attacks
Credential stuffing, reused passwords, basic phishing.
Not enough for
Device + session threats
Token theft, "trusted device" abuse, malware.
Next step
Conditional access + monitoring
Control where/how people sign in and alert on anomalies.

MFA in practice

Common wins
  • Password reuse attacks (credential stuffing)
  • Basic "password only" phishing
  • Brute-force attempts against weak passwords
  • Unauthorized access after password leaks
Rule of thumb

If the attacker only has a password, MFA is usually a strong barrier. If the attacker has a session token or a compromised device, MFA might not help.

Where MFA can be bypassed
  • Session/token theft (attacker steals an active session)
  • "MFA fatigue" push spamming (user taps approve)
  • Compromised endpoints (malware can hijack access)
  • Over-permissioned accounts (legit sign-in, wrong access)
Plain-English takeaway

MFA verifies a sign-in attempt. It doesn't continuously verify that the device is safe, that the session remains legitimate, or that the account has the right level of access.

Add these controls (in this order)
  1. Conditional Access: block risky locations, enforce compliant devices, require stronger factors for admins.
  2. Admin hygiene: separate admin accounts, minimize standing privileges, review roles monthly.
  3. Endpoint protection + patching: reduce the chance that devices become the bypass.
  4. Alerting & review: monitor risky sign-ins and unusual token activity.
  5. Backup + restore drills: assume identity will fail eventually plan recovery.
Quick win

Start by tightening admin access and adding sign-in risk policies. That's where a lot of damage happens.

Ask for an identity review

A simple "coverage" view

Not a perfect model just a useful way to explain layers to non-technical stakeholders.
Threat / Scenario MFA helps? What to pair with it
Stolen / reused password Usually yes Password manager + strong policies
Push notification spam Sometimes Number matching / phishing-resistant methods + user training
Compromised laptop Often no EDR + patching + least privilege
Suspicious sign-in from new location/device Partially Conditional Access + sign-in risk alerts
Account has too much access No Role reviews + JIT access + separation of duties

The calm conclusion

Turning on MFA is one of the best moves you can make. Just treat it as a layer not the whole strategy. If you combine MFA with conditional access, endpoint hardening, and periodic access reviews, your risk drops dramatically.

Back to Blog Overview
If you do just 3 things
  • Require MFA everywhere (especially email + admin roles)
  • Add conditional access for risky sign-ins
  • Review privileged access monthly
Get a simple security baseline