Multi-factor authentication (MFA) is a security control that requires users to verify their identity using two or more independent factors before gaining access to an account or system.

‍

Main takeaways

• MFA significantly reduces the risk of account compromise from stolen credentials—but it doesn't protect session tokens, OAuth grants, or other access pathways that persist after the initial login.
• Not all MFA is equal: TOTP codes and push notifications are susceptible to phishing and fatigue attacks; phishing-resistant methods like passkeys and hardware security keys offer meaningfully stronger protection.
• MFA fatigue—bombarding users with push approval requests until they accept one out of frustration—has become a reliable account takeover vector against push-based MFA implementations.
• In SaaS environments, MFA enforced at the identity provider layer doesn't cover shadow apps, personal accounts, or OAuth-connected integrations employees access outside SSO.
• MFA is necessary but not sufficient: it secures the login door while leaving side doors—unsanctioned apps, stale OAuth tokens, persistent sessions—unaddressed.

What is MFA?

The challenge MFA addresses is fundamental: passwords alone are a weak authentication factor. They're stolen in data breaches, guessed through credential stuffing, and surrendered through phishing—often without the account owner realizing it until the damage is done. MFA adds friction at the authentication point by requiring something additional—a one-time code, a hardware token, a biometric—that an attacker who has only the password cannot easily provide.

‍

The core principle is independence. Authentication factors are typically categorized as something you know (password, PIN), something you have (hardware token, mobile device), and something you are (fingerprint, face scan). The value of combining factors comes from their independence: compromising one shouldn't compromise the others.

‍

Types of MFA and their tradeoffs

Not all MFA implementations provide the same level of protection:

• SMS codes—Widely supported but susceptible to SIM-swapping attacks and interception. Better than nothing; not a strong control.
• TOTP (Time-based One-Time Passwords)—Authenticator app codes that rotate every 30 seconds. Resistant to replay attacks, but vulnerable to real-time phishing that intercepts the code before it expires.
• Push notifications—Convenient, but vulnerable to MFA fatigue attacks where users are spammed with requests until they approve one.
• Passkeys / FIDO2 hardware keys—Phishing-resistant by design. Authentication is tied to the specific origin, so a phishing site cannot capture a valid credential. The strongest widely-available MFA option.

Where MFA falls short

MFA governs the authentication event. It says nothing about what happens after the user is authenticated.

‍

In a SaaS-heavy environment, authentication is only one part of the access picture. An employee who authenticates via MFA may have also granted dozens of OAuth applications access to their accounts—access that persists indefinitely and doesn't require re-authentication. Session tokens may be cached across devices and networks. Applications accessed outside SSO have their own credential stores that MFA at the IdP layer doesn't touch.

‍

The result is an environment where the front door is locked and monitored, while multiple side doors remain ungoverned. MFA is foundational, but the organizations treating it as sufficient are leaving significant exposure unaddressed.

‍

Learn how Nudge Security maps identity and access across the full SaaS estate—beyond the IdP layer →