MFA matters… But it isn’t enough on its own

Unprotected usernames and passwords offer little defense against account takeover attacks. Multi-factor authentication (MFA) has quite rightly become the de facto standard for strengthening access controls.

There’s a reason almost all cybersecurity guidelines recommend it – Microsoft research suggests that enabling MFA can block over 99% of automated credential-stuffing and phishing attacks.

Yet even the best MFA implementations leave a critical gap: weak, reused or compromised passwords. When an attacker bypasses or circumvents MFA (whether by tricking a user into approving a push notification or exploiting a fallback) those same poor passwords become the attacker’s key to your systems.

That’s why a layered approach to identity security must include both robust password hygiene and MFA on every login point.

The benefits of MFA are undeniable

Before we explore why passwords still matter, let’s briefly recap what MFA brings to the table:

1. An extra barrier to entry: Even if an attacker steals or guesses your password, they still need a second factor (like a one-time code or biometric scan) to complete the login.
2. Phishing resilience: MFA tokens and push-based approvals raise the bar for credential-harvesting campaigns. Stealing a password alone isn’t enough.
3. Regulatory alignment: Standards such as NIST recommend MFA for sensitive or high-value accounts. Implementing it helps meet compliance mandates in finance, healthcare, government, and beyond.
4. User confidence: When employees or customers know their accounts are protected by more than just a password, trust and engagement often rise.
5. Cost avoidance: The upfront investment in MFA pays dividends in prevented breach costs—legal fees, incident response, brand damage and more.

Why MFA alone can leave you exposed

Despite its strengths, MFA is not a silver bullet and it can be bypassed. Overreliance on it can lull organizations into complacency around the most basic authentication factor: the password. Layered defense depends on each layer holding its weight, and a password is the entry point for the MFA challenge.

If that password is weak, reused or already known to attackers, they’re one step closer to breaching your perimeter.

Lost or broken devices, forgotten tokens and service-desk resets often revert back to password-only access. Without a strong password policy, these “break-glass” scenarios become easy entry points. User behavior also doesn’t change overnight – organizations that adopt MFA without reinforcing password education frequently see users continue to pick weak or predictable passwords.

This undermines one of your strongest defenses.

On top of that, MFA itself can be targeted. Techniques such as SIM swapping, MFA prompt bombing, and social engineering around help-desk procedures can trick users or staff into approving fraudulent logins.

Five tactics attackers use to bypass MFA

1. MFA fatigue attacks (also known as MFA prompt-bombing). By triggering dozens of push notifications in quick succession, attackers wear down victims until they approve “just to make it stop.”
2. SIM swap & SMS hijack. Defaulting to SMS-based one-time codes exposes users to mobile-network attacks that hand control of the second factor over to the adversary.
3. Social engineering at the help desk. Impersonating a locked-out user, an attacker convinces support staff to disable MFA or reset credentials, often using nothing more than a plausible story. For example, the recent major hack on MGM Resorts.
4. Session hijacking & token theft. Cookies and session tokens can be intercepted or stolen through malware and man-in-the-middle exploits, letting attackers bypass both passwords and MFA.
5. Exploiting backup methods. Forgotten-password questions, recovery codes and email resets frequently lack the rigor of primary MFA channels, creating alternative pathways into accounts.

Layering strong passwords and MFA

No single control can stop every attack. By pairing comprehensive password defenses with robust MFA on every critical system (Windows logon, VPNs, remote desktop, cloud portals and more) you create multiple hurdles for adversaries to overcome. Even if one layer is bypassed, others remain to block or detect the intrusion.

To harden your defenses, incorporate these best practices:

• Enable MFA: If you haven’t already, this is the obvious place to start. Consider a simple, effective MFA solution such as Specops Secure Access that can protect Windows Logon, VPNs, and RDP connections.
• Enforce minimum length and complexity. Require at least 15 characters, as length offers the best protection against brute-force techniques. Passphrases are the best way to get users to create strong, long passwords.
• Block known-compromised credentials. Integrate real-time checks against breach-compiled lists to prevent users from choosing passwords that have already appeared in data leaks. Specops Password Policy blocks the creation of weak passwords and continuously scans your Active Directory for over 4 billion breached passwords. Book a free trial today.
• Protect your service desk. Solutions such as Specops Secure Service Desk enforce a secondary MFA challenge to confirm the identity of anyone contacting your service desk.
• Monitor for unusual login patterns. Combine password and MFA logs to detect anomalies—like logins from unfamiliar locations or devices—and trigger step-up authentication when needed.

MFA dramatically reduces the risk of unauthorized access, but it should never replace strong password hygiene.

Treat passwords as the important security layer they are. Enforce policies that keep them long, unique, and uncompromised – then add MFA as the critical second line of defense.

Together, they form a resilient authentication strategy that will keep your organization and your end users far safer.

Need advice on MFA or password security? Get in touch.

Sponsored and written by Specops Software.