Security Series: Part 1 - Best Practices and Strategies for Multi-Factor Authentication (MFA)

Introduction: Why MFA is No Longer Optional

In cybersecurity, the weakest link is still the human login. We’ve seen too many enterprises unravel because a single password was all that stood between their systems and a determined attacker.

Take Uber in 2022: A contractor’s stolen credentials gave hackers the keys to the castle. Or Colonial Pipeline, where compromised accounts contributed to one of the most disruptive ransomware events in US history. Both lacked strong, layered authentication controls.

The lesson is simple: Relying on passwords alone is reckless. Multi-factor authentication (MFA) isn’t just an IT add-on; it’s the modern seatbelt of enterprise security. The organisations who survive and thrive will be those who implement it intelligently, consistently and strategically.

What is Multi-Factor Authentication (MFA)?

At its core, MFA is about verifying identity through more than one method of proof. Instead of banking everything on a password, MFA combines:

• Something you know – a password or PIN.
• Something you have – a smartphone app, security token or smartcard.
• Something you are – biometric data like a fingerprint or face scan.

A common enterprise example: logging into Office 365 requires both a password and a one-time code generated by an authenticator app. Even if a hacker steals the password, they can’t log in without the second factor.

This extra step creates a dramatic security uplift with minimal friction when deployed thoughtfully.

The Benefits of MFA for Enterprise Security

The case for MFA is compelling:

• Dramatic reduction in phishing risk: Microsoft research found MFA blocks 99.9% of automated account attacks.
• Secures hybrid workforces: With staff working from home, offices or customer sites, MFA ensures only the right people access the right systems.
• Supports compliance: Regulations like ISO 27001, GDPR and PCI DSS increasingly expect MFA for sensitive systems.
• Protects customer trust: Customers notice when their interactions are secure. A single breach can erode brand equity faster than years of marketing can build it.

The UK’s National Cyber Security Centre (NCSC) advises that implementing MFA is one of the simplest and most effective ways to protect against the majority of account takeover attacks. We couldn’t agree more.

Lessons from Businesses Who Skipped MFA

The fastest way to understand the value of MFA is to study organisations who didn’t deploy it effectively:

• Uber (2022) – A hacker purchased stolen credentials on the dark web. Because MFA wasn’t enforced across all accounts, the attacker gained deep access, leading to internal system compromise and reputational damage.
• Colonial Pipeline (2021) – A VPN account with no MFA was compromised, triggering a ransomware attack that shut down fuel supply to much of the US East Coast. The resulting disruption cost millions and drew government scrutiny.
• Industry SMB examples – According to the UK’s National Cyber Security Centre (NCSC) and industry reports, many small and mid-sized businesses have suffered payroll fraud or email account takeovers because MFA was not enforced on Office 365 and other systems. In some published cases, attackers monitored inboxes for extended periods before launching invoice fraud scams

In each case, the cost of skipping MFA far outweighed the minor inconvenience of deploying it. The moral? Security corners cut today are breaches paid for tomorrow.

Best Practices for Implementing MFA Effectively

MFA is not a silver bullet. To work in practice, it must be implemented strategically:

1. Prioritise privileged accounts
   Start with admin and high-value accounts. These are prime targets for attackers and causes maximum damage if compromised.
2. Use adaptive or risk-based MFA
   Not all logins need the same level of scrutiny. With adaptive MFA, extra verification only kicks in under risky conditions (e.g. unusual location, new device). This balances security with user experience.
3. Educate staff on phishing-resistant methods
   SMS-based MFA, while better than nothing, is vulnerable to SIM-swap attacks. Encourage hardware tokens or authenticator apps that generate time-based one-time codes (TOTP). Hardware security keys like YubiKeys offer the highest assurance.
4. Integrate with single sign-on (SSO)
   SSO simplifies the login experience, making MFA more palatable. Users authenticate once and securely access multiple applications.
5. Test, audit, and review
   Don’t treat MFA as a set-and-forget project. Regularly audit logs, review enrolment policies, and adapt to evolving threats.

The organisations that succeed with MFA view it as part of a broader identity and access management strategy, not a bolt-on.

How Britannic, Fortinet, and Acronis Can Help

At Britannic, we help enterprises design, deploy and manage MFA as part of a bigger cybersecurity and digital transformation roadmap. The key is making MFA robust and user-friendly.

Fortinet offers a mature suite of identity solutions. FortiAuthenticator and FortiToken provide strong MFA, supporting hardware tokens, push notifications and biometrics. Crucially, they integrate with Fortinet’s broader security fabric — meaning MFA becomes part of a coordinated defence strategy rather than a siloed tool.

Acronis takes a different angle, embedding MFA into its backup and disaster recovery platforms. This protects the administrative consoles that cybercriminals increasingly target during ransomware campaigns. MFA ensures attackers can’t silently disable backups before encrypting systems.

We’ve deployed both with clients who need compliance-ready, low-friction solutions. This is where Britannic adds value: not just supplying the tool, but integrating it into your Managed Services, managing it proactively, and ensuring it scales with your business.

Final Thoughts: From “Optional” to “Obvious”

Multi-factor authentication is no longer a “nice to have.” It’s the minimum viable control for a digital enterprise. Without it, businesses are gambling their brand, customers and regulatory standing. With it, they build resilience, compliance and trust.

The journey doesn’t end with MFA. It’s the first step toward a Zero Trust architecture - where no user, device or connection is trusted by default. MFA is the front door lock; Zero Trust builds the entire security neighbourhood around it.

The message is clear: start small but start now. Because if history teaches us anything, it’s that attackers never wait for board approval.

Book A Meeting To Talk To Us About Multi-Factor Authentication