concept#Security#Integration#Platform#Software Engineering

Multi-Factor Authentication (MFA)

A security principle that strengthens authentication by requiring multiple independent factors, e.g. knowledge, possession, or biometric attributes.

Multi-factor authentication (MFA) is a security approach that strengthens identity verification by requiring two or more independent factors such as knowledge, possession, or inherence.

Maturity

Established

Cognitive loadMedium

Classification

ComplexityMedium
Impact areaOrganizational
Decision typeArchitectural
Organizational maturityIntermediate

Technical context

Integrations

Single Sign-On (SAML, OIDC)Identity providers (Azure AD, Keycloak, Okta)SIEM and monitoring systems

Principles & goals

Principles

Minimum necessary factors: use only as many factors as required.Defense in depth: MFA complements, it does not replace other security controls.Consider usability: user acceptance is critical to effectiveness.

Value stream stage

Run

Organizational level

Enterprise, Domain, Team

Use cases & scenarios

Use cases

Scenarios

Compromises

Risks

SIM swapping for SMS-based factors.
Loss of hardware tokens without robust emergency processes.
Misconfigurations that render MFA bypassable.

Best practices

Favor phishing-resistant factors (e.g. FIDO2) over SMS.
Use adaptive MFA to balance usability and security.
Implement clear emergency and recovery procedures.

I/O & resources

Inputs

Existing identity directory (LDAP, AD, IdP)
List of supported authentication factors
Risk policies and compliance requirements

Outputs

Active MFA policy and configuration sets
Audit logs with second-factor events
Reports on adoption and effectiveness

Resources

Description

Multi-factor authentication (MFA) is a security approach that strengthens identity verification by requiring two or more independent factors such as knowledge, possession, or inherence. MFA reduces the risk of credential compromise and aids regulatory compliance. Implementation requires integration with identity providers and balancing security, usability, and operational cost.

✔Benefits

Significant reduction of account takeover via stolen passwords.
Supports regulatory and compliance requirements.
Increased traceability and forensic capability for authentication events.

✖Limitations

Not all factors are equally secure (e.g. SMS vs. hardware tokens).
Implementation can introduce additional operational overhead.
User acceptance can suffer with poor UX and lead to workarounds.

Trade-offs

Metrics

Share of MFA-enabled accounts
Percentage of users who have enabled MFA.
Number of prevented account takeovers
Detected or prevented takeover attempts after MFA rollout.
Support tickets for lost factors
Number relative to user base requiring help for lost factor.

Examples & implementations

MFA via TOTP for internal tools

A team introduces TOTP authenticators for internal web apps and connects them to existing SSO.

Hardware tokens for admin accounts

U2F/HSM-backed hardware tokens are mandated for privileged accounts.

Push-based MFA with mobile device

Users confirm login requests via push notifications from a trusted authenticator client.

Implementation steps

Inventory existing authentication flows and IdPs.

Risk-based selection of appropriate authentication factors.

Define mandatory policies and exception rules.

Technical integration with IdP/SSO and testing in pilot groups.

Rollout with user communication, training, and support processes.

⚠️ Technical debt & bottlenecks

Technical debt

Legacy systems lacking MFA support that require workarounds.
Temporary exception accounts not cleaned up.
Incomplete logging integration for factor events.

Known bottlenecks

Legacy systems: old systems lacking MFA supportUser acceptance: resistance to extra stepsSupport load: increased helpdesk requests during rollout

Misuse examples

Accepting SMS codes as sole protection for admin accounts.
Storing backup codes in unencrypted notes.
Allowing long-term exceptions without review.

Typical traps

Overestimating the security of SMS or email factors.
Insufficient procedures for factor loss or rotation.
Lack of integration into audit and incident processes.

Required skills

Identity and access management knowledgeBasic understanding of authentication protocols (OIDC, SAML, OAuth)Operational and support skills for token management

Architectural drivers

Protection of critical data and resourcesCompliance requirements and regulatory mandatesIntegration with identity providers and SSO

Constraints

• Legal constraints regarding biometric data handling
• Technical limitations of legacy applications
• Budget constraints for tokens, services, and integration