When it comes to multi-factor authentication (MFA), it’s safe to say that not all MFA is created equal. We’re here to help you navigate the MFA maze and choose the best phishing-resistant MFA to protect against today’s sneakiest phishing attacks. Let’s dive into why having MFA is essential.
It’s no secret that we’re huge fans of multi-factor authentication. Call it 2-step verification (2SV) or two-factor authentication (2FA)—this security hero protects against a whole host of common attacks on user accounts. Back in 2018, the National Cyber Security Centre (NCSC) cybersecurity guidance came with a loud call to action: every organisation needed to roll out 2FA on any part of their corporate IT that connects to the internet. The goal? Simple: make it more challenging for attackers to break in.
Then, along came the cloud. As organisations moved their digital services online, these cloud-based setups opened more doors for potential threats and cyberattacks. That’s when the NCSC urged everyone to get serious by layering in phishing-resistant MFA. Fast forward to today, and we still see significant data breaches that could’ve been avoided with mandatory MFA.
MFA still makes a huge difference compared to relying solely on passwords. But here’s the twist: attackers have been evolving too. They’ve learned that a well-timed social engineering attack can trick users into not only giving up passwords but also bypassing some basic MFA protections. This rise in phishing attacks on MFA-protected accounts is why the NCSC has updated their MFA guidance, and we are now following suit to help organisations spot which types of MFA will hold up against modern phishing techniques. It’s all about choosing the right kind of armour.
Our updated MFA guidance during the Cyber Essential Certification process covers the strengths and weaknesses of different multi-factor authentication methods, but here’s the gist: you want phishing-resistant MFA. Strong authentication offers solid security without drowning users in constant prompts. That way, MFA doesn’t become a hassle people try to avoid (we’ve all been there). Instead, it pops up only when it’s genuinely needed—helping to avoid security fatigue.
For example, the NCSC now requires phishing-resistant MFA to access single sign-on service for corporate accounts as part of the Cyber Essentials Assessment criteria. Thanks to mobile device management (MDM), phones and laptops automatically act as vital MFA factors, meaning users don’t face unnecessary login hoops. It’s secure multi-factor authentication without the stress.
Our guidance also includes a list of MFA anti-patterns—rookie mistakes that can weaken your security. By removing these pitfalls and following best practices for MFA, you can keep your security posture strong without creating extra headaches for users. If your organisation handles sensitive data or has roles requiring elevated access, we’ve also included specific MFA recommendations to help you protect administrative privileges effectively.
Here’s the reality check: attackers will keep coming, and authentication will remain a significant target. It’s not just about keeping the bad guys out; it’s also about making life easy for legitimate users trying to get in. As cybersecurity moves towards zero-trust architectures and passwordless solutions, more organisations are adopting these approaches to keep their defences robust and adaptive. Adding phishing-resistant MFA is one of the best ways to start future-proofing your organisation’s security.
So, remember: when it comes to multi-factor authentication, one size doesn’t fit all. Start with the strongest, phishing-resistant MFA options available, and your organisation will be well on its way to more secure, seamless, and innovative cybersecurity.