Multi-Factor Authentication

A password alone is not enough to secure a cloud account. Passwords get stolen, guessed, leaked in data breaches, and shared carelessly. Multi-Factor Authentication — MFA — adds one or more extra steps to the login process, so a stolen password alone cannot open the door.

The ATM Analogy

When you use an ATM, you need two things: your physical bank card (something you have) and your PIN (something you know). Even if someone learns your PIN, they cannot access your account without the card. Even if they steal your card, they cannot use it without the PIN. MFA applies this same logic to cloud accounts.

The Three Authentication Factors

Something You Know

This is information only you should know — a password, a PIN, or a security question answer. This is the factor most commonly used alone, and the weakest on its own because it can be guessed, stolen, or phished.

Something You Have

This is a physical object — a smartphone with an authenticator app, a hardware security key (like a YubiKey), or a one-time code sent to your phone via SMS. An attacker sitting thousands of miles away cannot easily fake having your phone in their hand.

Something You Are

This is a biometric — a fingerprint, face scan, or voice print. This factor is tied directly to your physical body. It is hard to steal, though not impossible to spoof on weak implementations.

MFA Login Flow:
----------------------------------------------
Step 1: Enter username + password   ← Something You Know
            |
            ▼
Step 2: Enter 6-digit code from app ← Something You Have
            |
            ▼
Access Granted
----------------------------------------------
Attacker has stolen password:
Step 1: Enters stolen password      ← Succeeds
Step 2: Needs your phone app code   ← FAILS
Access Denied

Types of MFA Methods

Authenticator Apps

Apps like Google Authenticator, Microsoft Authenticator, and Authy generate a time-based 6-digit code that refreshes every 30 seconds. You open the app and type the code after your password. This method is free and works without internet or SMS.

SMS One-Time Codes

A text message delivers a code to your phone number. This is convenient but weaker than an authenticator app. Attackers can intercept SMS via SIM-swapping — a social engineering attack where they convince your carrier to transfer your phone number to their device.

Hardware Security Keys

A physical USB or NFC device you plug in or tap to authenticate. Hardware keys like YubiKeys are highly resistant to phishing because they cryptographically verify the website you are logging into. Even if you are tricked into visiting a fake login page, the key refuses to authenticate.

Push Notifications

An app on your phone shows a prompt asking "Did you just try to log in?" You tap Approve or Deny. This is easy to use but vulnerable to MFA fatigue attacks — where an attacker floods your phone with approval requests hoping you accidentally tap Approve.

MFA Fatigue Attack

MFA fatigue is a newer attack. An attacker steals your password, then sends dozens of MFA push notification requests in rapid succession — often in the middle of the night. A tired or annoyed user eventually taps Approve just to stop the notifications. The attacker gets in. The defense is to use number-matching prompts (where you must type a number shown on screen into the app) rather than simple approve/deny buttons.

Enforcing MFA Across Your Cloud

Most cloud platforms let you make MFA mandatory for all users. Configure your IAM policies to require MFA for any login — especially for accounts with elevated permissions. Any account without MFA is a single point of failure.

MFA Prioritization Guide

Account TypeRecommended MFA Method
Root / Global AdminHardware security key (mandatory)
Cloud Admin accountsAuthenticator app or hardware key
Developer accountsAuthenticator app
General staff accountsAuthenticator app or push notification
Service accountsCertificate-based auth (not MFA)

Key Terms to Know

  • TOTP: Time-Based One-Time Password — the 6-digit code generated by authenticator apps.
  • SIM Swapping: An attack where a criminal tricks a mobile carrier into transferring your phone number to their SIM card.
  • MFA Fatigue: Overwhelming a user with repeated authentication requests until they approve one accidentally.
  • Phishing-Resistant MFA: Methods like hardware keys that cannot be defeated by fake login pages.

What You Learned

MFA requires a user to verify their identity using two or more independent factors — something they know, something they have, or something they are. Authenticator apps and hardware keys provide stronger protection than SMS codes. MFA fatigue attacks exploit user frustration, and number-matching prompts defend against them. Enforcing MFA on all cloud accounts — especially admin accounts — is one of the most impactful security decisions you can make.

Leave a Comment

Your email address will not be published. Required fields are marked *