Multi Factor Authentication Recommendations Blog Banner


You’ve probably heard a lot about multi-factor authentication (MFA) in the past year or so and have been thinking about implementing it in your business. But then you get busy and push it to the back of your mind.

Well, we’re here to tell you—nay, implore you—that that’s a mistake. Multi-factor authentication is a crucial security measure that’s more important now than ever, and if you’re not already using it, you’re putting your business at risk.

In this article, we’ll explain how multi-factor authentication works, why you should enable it (and not ignore it), and how it can help protect your company from increasingly unrelenting online attacks. We’ll also provide some multi-factor authentication recommendations and explain what to do if you or one of your employees is targeted by an MFA attack. Finally, we’ll look at an option to replace password-based environments altogether, to eliminate the inherent risks of passwords.


For those who are unfamiliar, multi-factor authentication—also known as two-factor authentication—is an extra layer of security that requires more than just a username and password to access your account or device. That could be something as simple as a one-time code that’s been texted or emailed to you, or it could be a more sophisticated biometric factor like facial recognition or fingerprint scanning. If you’ve ever had to enter a six-digit code to access one of your accounts, then you’ve participated in MFA.


We’re all familiar with the basic username and password login protocol. You enter your credentials, the system checks to see if they match what’s on file, and—voilà!—you’re in.

With multi-factor authentication, that process is a little different. After you enter your username and password, you’ll be required to provide an additional piece of information before being granted access. The important thing to remember is that this second factor must come from a separate device than the one you’re using to log in. That way, even if a hacker has your login credentials, they won’t be able to get into your account unless they also have access to your smartphone (or another pre-authorized device).

In the event that you don’t have your phone with you—say, you’re traveling and forgot it in your hotel room—most MFA systems will allow you to generate a one-time code on another device, like a laptop or tablet. Once you’ve used that code, it becomes invalid and can’t be used again, so there’s no way for a hacker to guess their way into your account.


One of the most common cybersecurity myths is that if you use a complex password, you aren’t at risk. While complex passwords are certainly a great idea, it isn’t true that they can’t be cracked—and it happens more often than you think. MFA, on the other hand, is far more secure.

According to Verizon’s 2019 Data Breach Investigations Report, using multi-factor authentication can block up to 99.9% of automated bot attacks and 100% of phishing attacks. That’s because, as we mentioned before, MFA requires that you have more than just a username and password to access your account; you need another piece of information that’s coming from a separate device—something no typical hacker will be able to procure.


Multi-factor authentication is an important security measure for any business, but it’s especially critical for businesses that deal with sensitive customer data, like healthcare organizations and financial institutions. That’s because MFA can help you meet (and exceed) compliance requirements, like those set forth by the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS is a set of 12 security standards designed to protect businesses and their customers from credit card fraud. One of the PCI DSS requirements is two-factor authentication for remote access to systems that handle credit card information. By enabling MFA, you can help ensure that your business complies with this important regulation.


There are several different ways to add multi-factor authentication to your login process. Choosing the right method for your business will ultimately depend on your preferences, hardware availability, and desired level of convenience.

1. Send a one-use code

The most common method is to have a temporary code texted or emailed to you whenever you try to log in. This is by far the least convenient option, as it requires you to have your phone with you at all times, but it’s still an effective and simple way to add an extra layer of security to your login process.

2 . Use an authenticator app

Another popular option is to use a one-time code that’s been generated by an authenticator app, like Authy or Google Authenticator. The benefit of these is that you can use them even if you don’t have your phone with you, as long as you have another device (like a laptop or tablet) that can connect to the internet. It also keeps your inbox from getting stuffed with a bunch of used codes.

Google Authenticator Screenshot

3. Implement a biometric scanner

For an even higher level of security, you can add a biometric scanner to your login process. This could be a fingerprint scanner, iris scanner, or even a facial recognition system. While this technology is becoming more and more common—especially on newer smartphone models—the downside is that it requires users to have the necessary hardware on their devices, which not everyone does.

4. Utilize a hardware token

For maximum security, you can use what’s called a hardware token, which is a physical device that generates one-time codes. These are often used by businesses that deal with highly sensitive data, such as financial institutions.


If you’re targeted by an MFA attack, the best thing you can do is report it to your IT team or security provider immediately. They’ll be able to investigate the attack and take steps to prevent it from happening again in the future. Don’t have a dedicated cybersecurity team at your back? We can help!

What does an MFA attack look like?

Multi-factor authentication attacks come in many different forms, but the most common type is called a phishing attack. In a phishing attack, hackers will send you an email or text message that looks like it’s from a trusted source, like your bank or credit card company. The message will include a link that takes you to a fake website that’s designed to look like the real thing.

Once you’re on the fake website, the hacker will try to trick you into entering your username and password, as well as the one-time code that’s been generated by your authenticator app. If they’re successful, they’ll gain access to your account and all of the sensitive data that’s stored there.

To protect yourself from phishing attacks, it’s important to be aware of the signs that an email or text message is not from a trusted source. These can include misspellings, grammatical errors, and unfamiliar sender information. If you’re ever unsure about the validity of a message, it’s best to err on the side of caution and reach out to the supposed sender directly to confirm its authenticity.


Multi-factor authentication surely improves security, and in a password-based environment, you would not want to be without this feature enabled. But is there a better way?

Passwords are inherently insecure, and multi-factor authentication simply strengthens an already weak equation. The best way forward is a login experience without password authentication.

Whizkids delivers a seamless passwordless experience, utilizing device registration and an eco-system of partners to fit every passwordless use case. The end result is a completely password-free login experience that works on any device across all browsers, desktop applications, and native mobile applications. Implementing a passwordless environment is a key component of Whizkids’ cybersecurity IDaaS product.


Multi-factor authentication is a powerful tool that can help protect your business from a variety of cyber-attacks, but it’s only effective if it’s used properly. By understanding how MFA works and what your options are, you can make sure it’s implemented properly to help keep your business—and your customers’ data—safe from harm.

Unfortunately, MFA is only one piece of an overall cybersecurity strategy. To benefit from full online protection through a single point of control, learn more about Whizkids’ Identity as a Service (IDaaS) solution. And for more tips on how to stay safe online, check out our complete guide to Cybersecurity Awareness Month.