MFA Crash Course for 2025

CybersecurityBusinessPersonalAdvice
Written By Emily Brooks

Multifactor authentication (MFA) is essential in maintaining your personal and business information security. Protecting personal information, like account logins, financial details, social security numbers, and dates of birth becomes much more effective when there are multiple barriers for an attacker to overcome before gaining access.

On a business level, implementing strong MFA practices helps protect any data in your business systems, often including client and project information, proprietary business information, government-protected data, and other information technology assets your business may have. In some cases, MFA can protect the physical security of your business systems, too.

 

What is MFA?

MFA is a process which requires users to use two or more forms of identification to access some system, an account, or other information that is locked behind credentials. If you have ever logged into an account using a password, then were required to enter another code (likely sent via SMS or email) or other personal information (like your date of birth) to finish logging in, you have used multifactor authentication.

 

What are some forms of authentication my business can use?

Authentication methods can come in the form of something you know, something you are, or something you have. Here are some examples of each:

  • Something you know may be a password or a PIN number.

  • Something you have may be an authenticator app on a mobile device, an SMS message, or a hardware token.

  • Something you are is a biometric key like a fingerprint or a face ID.

A company may require employees to use SSO, logging in with a password first (something you know), then use a FIDO2 passkey (something you have) to finish the authentication process. A company may also require employees to scan a security badge (something you have) and enter a PIN number (something you know) to enter a building.

 

MFA Recommendations

SKB Cyber encourages everyone to enable MFA on any account possible, both in personal and professional life! When enabling MFA, use authentication methods from at least two of the three categories whenever possible. An attacker can learn a password, a PIN number, or personal information. They cannot plug your FIDO2 key into their computer without having access to the physical device. Similarly, they cannot steal your fingerprint.

Crowdstrike asserts in their 2025 Global Threat Report that “organizations should consider using number matching or hardware-based FIDO2 devices, such as Yubikeys” to harden MFA security. Using these authentication methods can greatly reduce attackers’ ability to manipulate the MFA process.

Some authentication methods, like using SMS and email codes, are no longer recommended for use if other methods are available. Undoubtedly, using SMS and email codes is better than not having MFA enabled at all, but these methods can be intercepted much more easily than others. MFA fatigue occurs when the attacker spams MFA requests until the legitimate user accepts the fraudulent request. Attackers can also intercept both emails and SMS messages to steal MFA codes, allowing them free access to your accounts. Using an app on your phone, like the Google or Microsoft Authenticator app, is much more secure than using SMS or email to receive codes.

 

Why is Hardened MFA Important?

As cybersecurity strategies evolve, so do attackers’ abilities. Attackers are adapting to cybersecurity experts’ advice to implement MFA wherever possible and finding ways around the barriers (Crowdstrike). If you or your business have MFA enabled on accounts already, the MFA methods employed may not be as effective as they once were. As cyber criminals adapt to security measures, users also need to adapt to keep personal and business IT assets (including sensitive data and personal information) safe.

The average cost of a data breach in the United States, according to IBM’s Cost of a Data Breach Report 2025, is $10.22M, which is a record high for the US. Not only is a data breach costly to remediate, but can be costly in lost business, loss of customer or benefactor trust, and in legal repercussions. For individuals, identity theft can contribute to a slew of issues: financial strain, damaged credit score, headache reporting identity theft to proper authorities, and more. The effects of identity theft can follow an individual for years.

Protecting personal and business information goes far deeper than just adopting strong MFA habits. However, hardening MFA (or implementing its use at all) is a practical and accessible step that can improve security posture regardless of who the user is.

 

For more information, or for help hardening your MFA, contact SKB Cyber at skbinfo@skbcyber.com.

Emily Brooks
Next

Physical Security