9 Ways You’re Doing MFA All Wrong

As we witnessed in the MGM attack recently, you may have MFA setup correctly, but it may not be effective as you think in securing your account.

MFA is a great way to dramatically increase the security and protections of your accounts, but it’s not an end-all-be-all by any means and is subject to misconfigurations, which is up there in the top 3 vulnerability categories in information security.

Related articles:

green orange and purple plastic clothes pin

1.💬Having MFA Codes Sent To Your Phone via SMS

Sending MFA codes is not considered secure, and has not been for some time. Don’t believe me, see someone in security with longer hair than me or NIST itself.

Phones can be subject to sim-swapping attacks, where someone can literally take your phone number.

💡 Personal Security Tip: Call your phone provider and add a PIN to prevent unauthorized changes to your account.

  • Utilize PUSH MFA instead (see below)

2.📝 Failing to Educate Employees on MFA Best Practices

Even with a robust MFA system in place, its effectiveness can be diminished if employees are not properly trained on how to use it correctly.

MFA Fatigue is a real thing! People will still click YES when notified either accidentally, or haphazardly because they’re so busy doing something else. (Modern day woes)

Providing comprehensive and continued training and education on MFA best practices can help employees understand the importance of MFA and how to use it securely.

3.🗝️Not Using Hardware / FIDO2 Keys for Admins or Key Personnel

FIDO2 is now integrated in many modern operating systems which just increases the capability for the use of the secure technology. You can also distribute hardware keys like yubikeys, but make sure you have a fallback/reset plan.

4.🔒 Neglecting Regular MFA Audits and Updates

MFA is not a set-it-and-forget-it solution. Regularly auditing and updating your MFA methods is crucial to stay ahead of emerging threats. Conducting audits can help identify vulnerabilities and ensure that your MFA setup remains effective and secure.

5.🤳🏼Giving Out One-Time Codes Via Phone Calls

At least it should not be the norm and be easy to do. Build a super strong authentication and alerting mechanism in such case and make it impossible to do for critical access areas or employees with privileged access.

  • Use the phone number on file to call back the person

    • Not if the number has been changed recently (should be a log or indicator saying when it was changed)

  • Create a robust authentication system that asks for information only that employee would know

Using a separate directory altogether for privileged access/users would help a ton here!

6.♻️ Allowing TOTP Codes To Be Re-Used

Did you know that many providers actually allow codes to be re-used within the 30 second time frame.

As per RFC 2638 (the TOTP spec), it’s not supposed to be.

The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

Hello, can you say “one-time” altogether please? 

Of course, for convenience purposes companies have been a little lax and allowed codes to be re-used.

For the best security, make codes truly single use.

7.🌩️ Backing Up To The Cloud Insecurely

Did you know that Google Authentication now allows auth codes to be backed up to the cloud? Have you considered which cloud account these codes are being sent to?

If they’re being backed up to an employees personal account, and they don’t have strong authentication, then it really defeats the purpose of MFA (kind of a chicken or egg question).

  • Ask users not to enable backups and/or enforce the use of your own app for MFA

8.📲 Not Using Push Notifications ONLY

Many times people enforce MFA on their users, but they still allow them to use SMS! The best way to get rid of all this headache is to enforce push notifications using a directory app that you own. Not only will this reduce your attack surface area, but also it will ensure that the right users are provisioned to your MFA.

9. 📬Sharing One-Time Backup Codes Via Email

Yes, I’ve seen this! Don’t do this. These recovery codes are super important and should be locked in your password manager. (You’re using a password manager right?😅)

Sensitive data should never be sent via email.😬

Think about it this way, if an attacker gets access to the person who sent the email to employees during onboarding, they now have access to ALL Employees one-time codes in their sent email!!


As you can see, just enabling MFA is not as simple as you think. As with any security configuration, it must be done with thought and proportional to your threat landscape. Running an threat modeling exercise within your company will help you make an informed decision on the right size security for your environment and business.

📖Additional Useful Resources

Here are some related resources that may be helpful on your MFA journey:

Follow Me on LinkedIN for more tips and tricks throughout the week. Need support with your infosec program? Get In Touch

Thank you for reading Last Week As A vCISO. This post is public so feel free to share it.

Join the conversation

or to participate.