Looking back at the early 2024 data breach at Change Healthcare — a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system — one key detail stands out: Initial access into the healthcare system’s network was much easier due to a lack of multi-factor authentication (MFA).
As organizations increasingly rely on credential-based applications, in part due to the rise of the cloud, SaaS applications, and hybrid work models, protecting those points of access becomes a critical component of any cybersecurity strategy. And, as the Change Healthcare data breach highlights, a simple access control like MFA can act as a major barrier to keeping threat actors at bay.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is an access control mechanism that adds a layer of security to application logins and user access by making users verify their identities beyond the typical username and password combination. As the name suggests, this control involves multiple forms of authentication, which are commonly something you have, such as a token or a mobile device; something you know, such as the answer to a security question or secondary password; or something you are, such as your fingerprint or another biometric trait.
MFA works by verifying the identity of the user trying to gain access to an application, network, asset, or endpoint, ideally preventing a threat actor from gaining unauthorized access. An example of how MFA operates would be a scenario in which a user needs to log in to a common application used daily in their workplace. The user would enter a valid credential, and then would be prompted to provide a secondary form of authentication, intended to verify the user is who they claim to be with the credentials they have entered. As mentioned above, this verification can take many forms. Common verification measures include an out-of-brand authentication approval (e.g. the user approves the login on a mobile app or via a phone call) or answering a series of security questions. Only once that step is completed will access to the application be granted.
The security-focused idea behind MFA is to harden the authentication process, specifically by not solely relying on usernames and passwords. If credentials are compromised and fall into the hands of a threat actor, MFA will often prevent the threat actor from gaining access because credentials alone aren’t enough to achieve a successful login. Plus, if MFA access monitoring is in place, the organization’s security team will be alerted to a suspicious and/or failed login attempt.
It should be noted that not all MFA technology is created equal, and that access control is not infallible. While we’ll discuss 2FA, a variation of MFA, below, other legacy MFA tools can create a false sense of security. Arctic Wolf recommends an organization deploy “phishing-resistant MFA,” based on the FIDO2 set of specifications. Phishing-resistant MFA tools utilize hardware tokens (FIDO security keys), biometric authentication, and certificate-based authentication measures to verify an identity.
Types of Multi-Factor Authentication
MFA is broken down into four kinds of authentication factors:
- Knowledge factor: This relies on what the user knows, such as the answer to a security question or a password
- Possession factor: This relies on an another item (physical or virtual) the user has, such as a phone or badge
- Inherent factor: This relies on traits of the user, such as their fingerprint or a retina scan
- Behavioral factor: This relies on the user’s behavior, specifically how they interact with their endpoint, such as typing patterns or mouse movements
Common types of MFA include:
- A fingerprint or face scan (like the one used by recent models of iPhones to unlock devices)
- Third-party applications like Okta that a user must access to authenticate their identity
- Hardware tokens, physical devices, or software tokens which require an action for authentication
- Secondary passwords or security questions that can only be answered by the user
- Links or verification codes that are sent to an email account or mobile device and must be clicked for authentication
MFA continues to evolve alongside changes in both the IT environment and overall attack surface. Two newer forms of MFA designed to combat credential-based attacks include adaptive MFA and passwordless MFA.
Adaptive MFA is dynamic and utilizes contextual information to determine which authentication factors to apply to a given user and when. The information used by the application to make this determination can include geo-location, time of day, previous logins, the user account, failed login attempts, and more. For example, if a remote employee is traveling for a week, the MFA application can apply more stringent or extra authentication factors to combat the added risk of travel.
Passwordless MFA removes passwords altogether, replacing the credential-based authentication factor with other, more secure factors such as those mentioned above. Passwordless MFA reduces the risk of unauthorized access, as there are no credentials for a threat actor to steal or compromise.
MFA vs. 2FA vs. SSO
While there are multiple kinds of MFA authentication types, MFA is not that same as two-factor authentication (2FA), nor is it the same as single sign-on (SSO). 2FA is a form of MFA, but 2FA only requires one additional form of authentication and verification beyond credentials (for a total of two), whereas MFA can, and often does, involve more than those two. From an application standpoint, 2FA only allows for one verification method to be implemented, but an MFA application often allows security teams to implement multiple methods as desired. This doesn’t mean that an MFA application will always require more than two verification methods, but more so that the option is available for security teams to implement as needed.
SSO is an access management solution, not a form of access control. SSO allows a user to employ a single identity to access multiple applications. Access is provided through a centralized hub, which requires just a single set of credentials. SSO is intended to reduce the number of user logins and add connivence to access management, whereas MFA is intended to increase access security.
MFA should be used with SSO to ensure proper access control to any application that falls under the SSO hub. This prevents a serious intrusion if an SSO application is hacked or access is granted to a threat actor through an SSO hub.
Where MFA Falls Short: MFA Fatigue Attacks
MFA fatigue attacks, also referred to as prompt bombing, push bombing, or notification fatigue attacks, refers to the overload of prompts or notifications a target receives via MFA applications during a threat actor’s targeted attack on their access to an environment.
If a user’s credentials have been compromised by a threat actor but the application, network, or asset those credentials unlock is protected by MFA, that threat actor may turn to an MFA fatigue attack – continually prompting the user with MFA notifications, hoping they accept the prompt out of frustration, confusion, or both . These kinds of attacks are most successful when the secondary authentication measure comes in the form of a mobile phone application prompt.
Learn more about MFA fatigue attacks and how to prevent them from occurring at your organization.
The Value of MFA in Cybersecurity
In the modern working world, protecting every access point, and keeping up with the addition and removal of identities as team members join or leave the organization can be difficult for even the best-resourced organizations.
Adding to this difficulty is the adaptability of threat actors, who are consistently exploiting weaknesses in this corner of the attack surface to gain a foothold in organizations’ environments. Just look at Arctic Wolf data as evidence: 18.9% of business email compromise (BEC) cases investigated by Arctic Wolf Incident Response in 2024 began with compromised credentials, and over 20% of ransomware cases originated with compromised VPN credentials.
While MFA can’t stop every kind of attack, it can slow down threat actors, alert security teams to suspicious user or access behavior, and prevent a threat from turning into an incident. For example, in The State of Cybersecurity: 2025 Trends Report, Arctic Wolf found that 56% of organizations that experienced a significant cyber attack in 2024 did not have MFA implemented at the time of the incident.
Key benefits of multi-factor authentication include:
1. Increased identity and access security
2. Improved access management across a user base
3. Increased security of edge devices, applications, and cloud environments that rely on credentials for access
4. Reduced risk of password or credential compromise
5. Reduced risk of password fatigue among users
6. Customization based on an organization’s security needs
7. Compatibility with SSO technology and solutions
8. Scalability based on user, business, or security changes
9. The ability to meet multiple compliance requirements for common frameworks
10. The enabling of secure, remote access for hybrid or remote employees
Arctic Wolf® and Multi-Factor Authentication
Cybersecurity should always be a holistic practice, and access security is a key component of that – including wide-ranging implementation of MFA within the environment. Arctic Wolf’s Concierge Security® Team is here to help your organization not only identify and assess access risk points in your organization, but also help you implement MFA as needed. Additionally, Arctic Wolf® Managed Detection and Response, powered by the Aurora™ Platform, ingests and covers identity sources of telemetry for around-the-clock monitoring of both identity sources and access points. Arctic Wolf’s technology integrates with multiple well-regarded access control and identity and access management (IAM) solutions, including Okta and Zscaler. All of these defenses are supported by Arctic Wolf Managed Security Awareness®, a tailor-made, microlearning-focused, security awareness program designed to reduce human risk while empowering users to recognize access-related threats.
Learn more about how a security awareness training solution can reduce human risk in your organization.
Explore the role access plays in the modern-day threat landscape with the Arctic Wolf 2025 Threat Report.
