Mastering MFA Requirements: Compliance, Risks, and Best Practices

Multi-factor authentication (MFA) is no longer optional; it’s a critical requirement for securing access to sensitive systems and data. As cyber threats grow more sophisticated, security and identity and access management (IAM) leaders in financial services, government agencies, healthcare, energy, and other security-first environments must navigate evolving MFA requirements to ensure compliance, mitigate security risks, and protect critical assets.Translated

See the following for additional information on MFA requirements, compliance standards, security vulnerabilities, and best practices for strengthening authentication security, including how the RSA External Authentication Methods (EAM) with Microsoft help organizations meet stringent regulatory mandates.Translated

MFA requirements define the authentication policies organizations must implement to enhance security and reduce the risk of credential-based attacks. These requirements vary by industry and regulatory framework but typically mandate the use of two or more authentication factors:Translated

• Something you know: passwords, PINsTranslated
• Something you have: hardware tokens, mobile authenticatorsTranslated
• Something you are: biometrics (fingerprint, facial recognition)Translated

MFA is mandated across multiple industries to prevent unauthorized access, reduce fraud, and improve overall cybersecurity resilience. Some compliance frameworks and technical requirements that enforce MFA to ensure organizations mitigate identity-related threats include:Translated

• TranslatedDORA (Digital Operational Resilience Act) enforces strict MFA requirements for financial institutions in the EU, enhancing cybersecurity and operational resilience.
• TranslatedNIS2 (Network and Information Security Directive 2) strengthens authentication requirements for critical sectors across the EU.
• TranslatedPCI DSS (Payment Card Industry Data Security Standard) mandates MFA for non-console administrative access and remote access to cardholder data.
• CMMC 2.0 (Cybersecurity Maturity Model Certification) requires phishing-resistant MFA for federal contractors handling sensitive government data.
• TranslatedGDPR (General Data Protection Regulation) enforces secure authentication controls to protect personal data.
• TranslatedMicrosoft’s MFA Requirement for cloud applications like Azure AD demands strong authentication for user and admin accounts.

RSA^® ID Plus provides MFA that meets each of these regulations and requirements. For instance, the RSA EAM integration with Microsoft enables organizations to implement phishing-resistant MFA, adaptive risk-based policies, and continuous authentication monitoring, extending security beyond Microsoft’s ecosystem to protect hybrid and multi-cloud environments.Translated

Failure to comply with these requirements could result in fines and costlier cyber-insurance policies. Moreover, if organizations don’t deploy modern authentication, they run the risk of dramatically increasing their exposure. The vast majority of cyberattacks target weak credentials, like stolen passwords. MFA is critical to reducing the risk that any single compromised credential represents.Translated

To implement MFA effectively, organizations should note the following best practices:Translated

• Get the right protocols for the right users: MFA shouldn’t be one-size-fits-all. Different user populations may have different requirements. For instance, users working in clean rooms or other highly secure facilities may not be able to use internet-connected devices or cellphones to authenticate. Make sure you know what your users can use, what they can’t use, and what they’re familiar with.Translated
• Don’t create siloed authentication experiences: While organizations need to accommodate different user groups’ needs, they shouldn’t use point solutions to deploy MFA on a group-by-group basis. Doing so complicates operations and creates higher procurement and management costs. Instead, organizations should prioritize vendors that can support a range of MFA methods from one central identity platform.Translated
• If you’re not planning for outages, then you’re planning to fail: If you’re using a cloud provider for MFA, then you need to ask what happens when the cloud goes down. At best it may mean that users can’t access their applications; at worst it may be a way for threat actors to launch an attack. Organizations need to build resilience across their critical infrastructure, particularly MFATranslated
• Keep BYOD secure: With cellphones, work from home, and bring your own device (BYOD) policies prevalent across sectors, more users are completing MFA using personal devices. While that enhances convenience, it can also introduce risks to the authentication process: malware, man-in-the-middle attacks, social engineering, and more can jeopardize the authentication process and in turn put company data, enterprise assets, or customer records at risk.Translated
• Make sure you’re using the right passwordless authentication: If you’re planning on using passwordless MFA, then that’s a great way to lower your organization’s risk and evolve its Zero Trust maturity. But not all passwordless authentication is created equal: organizations need to know the difference between synced passkeys, which do not provide sufficient enterprise security, and device-bound passkeys, which can keep organizations secure.Translated

While MFA significantly enhances security, it is not infallible. Attackers continually evolve their tactics to bypass authentication controls, making it critical for organizations to recognize and mitigate potential vulnerabilities.Translated

• Social engineering attacks: Phishing, spear-phishing, and MFA fatigue attacks trick users into approving fraudulent authentication requests.Translated
• Help desk exploitation: Attackers use social engineering to manipulate IT support staff into resetting MFA credentials or approving fraudulent access requests.Translated
• Malware-based attacks: Keyloggers and remote access trojans (RATs) can capture MFA credentials and bypass authentication controls.Translated
• SIM swapping: Attackers hijack a victim’s phone number to intercept SMS-based MFA codes.Translated
• Man-in-the-Middle (MitM) attacks: Adversaries intercept authentication requests and steal session tokens.Translated
• MFA bombing or prompt bombing: Attackers overwhelm users with MFA approval requests until they unintentionally approve access.Translated

Examples of MFA security vulnerabilities include the 2022 Uber prompt bombing attack and the 2023 social engineering attacks that targeted Las Vegas resorts. These highlight how threat actors can exploit weak MFA implementations and other MFA security vulnerabilities. Organizations must adopt phishing-resistant authentication methods, such as RSA FIDO2-based passkeys and adaptive risk-based authentication, to counter these threats.Translated

MFA alone is not enough; organizations must integrate it within a Zero Trust Architecture (ZTA) to ensure continuous verification of user identity and device security.Translated

Zero Trust assumes no user or device is inherently trusted, requiring ongoing authentication and policy-based access controls. RSA’s integration with Microsoft’s Zero Trust framework allows enterprises to:Translated

• Enforce least privilege access with adaptive risk-based MFA policies.Translated
• Leverage phishing-resistant authentication like FIDO2 security keys and device-bound passkeys.Translated
• Monitor authentication requests in real time to detect anomalies and prevent credential compromise.Translated

To maximize security and compliance, organizations should consider the following best practices:Translated

Choosing the right MFA solutionTranslated

• Use phishing-resistant MFA, such as RSA FIDO2-based authentication or device-bound passkeys.Translated
• Avoid SMS-based MFA due to vulnerabilities like SIM swapping.Translated
• Implement hardware security keys for high-assurance authentication.Translated
• Utilize modern authentication, which is designed to be passwordless, adaptive, and risk-aware. Modern authentication goes beyond traditional MFA by continuously verifying users throughout their session, not just at login. Modern authentication eliminates passwords, uses context and risk signals to strengthen security, and works seamlessly across cloud, hybrid, and on-premises environments.Translated

Educating users on MFA securityTranslated

• Train employees to recognize social engineering and phishing attacks targeting MFA.Translated
• Enable self-service authentication recovery to reduce the IT support burden.Translated
• Encourage users to report suspicious MFA prompts.Translated

Continuous monitoring and auditingTranslated

• Deploy real-time identity threat detection to flag unusual authentication behavior.Translated
• Regularly update MFA policies to address evolving cybersecurity threats.Translated
• Conduct penetration testing to assess MFA resilience against attack methods.Translated

By leveraging RSA EAM with Microsoft, organizations can achieve seamless, compliant, and highly secure MFA deployments while aligning with Zero Trust principles.Translated

MFA is a critical pillar of modern identity security, but it must be deployed strategically to maximize protection against evolving threats. By understanding MFA requirements, aligning with compliance frameworks like DORA and NIS2, and integrating MFA within a broader Zero Trust framework, organizations can enhance security and mitigate authentication risks.Translated

RSAに連絡する to learn more about how RSA provides a range of MFA solutions that meet global regulations and integrate into a broader identity security strategy.Translated