Multi-Factor Authentication
A password alone is not enough to secure a cloud account. Passwords get stolen, guessed, leaked in data breaches, and shared carelessly. Multi-Factor Authentication — MFA — adds one or more extra steps to the login process, so a stolen password alone cannot open the door.
The ATM Analogy
When you use an ATM, you need two things: your physical bank card (something you have) and your PIN (something you know). Even if someone learns your PIN, they cannot access your account without the card. Even if they steal your card, they cannot use it without the PIN. MFA applies this same logic to cloud accounts.
The Three Authentication Factors
Something You Know
This is information only you should know — a password, a PIN, or a security question answer. This is the factor most commonly used alone, and the weakest on its own because it can be guessed, stolen, or phished.
Something You Have
This is a physical object — a smartphone with an authenticator app, a hardware security key (like a YubiKey), or a one-time code sent to your phone via SMS. An attacker sitting thousands of miles away cannot easily fake having your phone in their hand.
Something You Are
This is a biometric — a fingerprint, face scan, or voice print. This factor is tied directly to your physical body. It is hard to steal, though not impossible to spoof on weak implementations.
MFA Login Flow:
----------------------------------------------
Step 1: Enter username + password ← Something You Know
|
▼
Step 2: Enter 6-digit code from app ← Something You Have
|
▼
Access Granted
----------------------------------------------
Attacker has stolen password:
Step 1: Enters stolen password ← Succeeds
Step 2: Needs your phone app code ← FAILS
Access Denied
Types of MFA Methods
Authenticator Apps
Apps like Google Authenticator, Microsoft Authenticator, and Authy generate a time-based 6-digit code that refreshes every 30 seconds. You open the app and type the code after your password. This method is free and works without internet or SMS.
SMS One-Time Codes
A text message delivers a code to your phone number. This is convenient but weaker than an authenticator app. Attackers can intercept SMS via SIM-swapping — a social engineering attack where they convince your carrier to transfer your phone number to their device.
Hardware Security Keys
A physical USB or NFC device you plug in or tap to authenticate. Hardware keys like YubiKeys are highly resistant to phishing because they cryptographically verify the website you are logging into. Even if you are tricked into visiting a fake login page, the key refuses to authenticate.
Push Notifications
An app on your phone shows a prompt asking "Did you just try to log in?" You tap Approve or Deny. This is easy to use but vulnerable to MFA fatigue attacks — where an attacker floods your phone with approval requests hoping you accidentally tap Approve.
MFA Fatigue Attack
MFA fatigue is a newer attack. An attacker steals your password, then sends dozens of MFA push notification requests in rapid succession — often in the middle of the night. A tired or annoyed user eventually taps Approve just to stop the notifications. The attacker gets in. The defense is to use number-matching prompts (where you must type a number shown on screen into the app) rather than simple approve/deny buttons.
Enforcing MFA Across Your Cloud
Most cloud platforms let you make MFA mandatory for all users. Configure your IAM policies to require MFA for any login — especially for accounts with elevated permissions. Any account without MFA is a single point of failure.
MFA Prioritization Guide
| Account Type | Recommended MFA Method |
|---|---|
| Root / Global Admin | Hardware security key (mandatory) |
| Cloud Admin accounts | Authenticator app or hardware key |
| Developer accounts | Authenticator app |
| General staff accounts | Authenticator app or push notification |
| Service accounts | Certificate-based auth (not MFA) |
Key Terms to Know
- TOTP: Time-Based One-Time Password — the 6-digit code generated by authenticator apps.
- SIM Swapping: An attack where a criminal tricks a mobile carrier into transferring your phone number to their SIM card.
- MFA Fatigue: Overwhelming a user with repeated authentication requests until they approve one accidentally.
- Phishing-Resistant MFA: Methods like hardware keys that cannot be defeated by fake login pages.
What You Learned
MFA requires a user to verify their identity using two or more independent factors — something they know, something they have, or something they are. Authenticator apps and hardware keys provide stronger protection than SMS codes. MFA fatigue attacks exploit user frustration, and number-matching prompts defend against them. Enforcing MFA on all cloud accounts — especially admin accounts — is one of the most impactful security decisions you can make.
