MFA is one of the most effective and simple cyber protections an organization can put in place. The solution is also already a regular feature in reseller and Managed Service Provider (MSP) portfolios, and the channel is well-positioned to provide value for customers in the deployment and integration of MFA, as well as ongoing support services – all crucial for the proper functioning of MFA platforms.
For those steeped in the technology industry, it’s easy to imagine that the market is all wrapped up. But there is still a huge opportunity with a vast number of organizations still dangerously underprepared for today’s identity challenges.
Why your customers need enhanced MFA
Identity really is the first line of protection for your organization. Leaked credentials are the initial attack vector in 22% of all confirmed breaches. Passwords are widely considered out of date and ineffective, as the 1.3 billion leaked credentials reported by haveibeenpwned demonstrates.
This is why MFA was introduced to verify that log-in attempts are legitimate, requiring users to verify their identity using two or more independent factors such as a password, a phone code, or a fingerprint to access an account or system. MFA is a security best practice, but the 2025 UK Cybersecurity Breaches Survey found that only 40% of businesses have rolled out two-factor authentication. These organizations are missing a trick, especially as 66% of consumers say they trust a company more if it requires them to use MFA.
Even for those organizations that have rolled out MFA as standard, attackers have found ways to circumvent it and weaponize it to trick users into allowing them access to your systems.
For example, MFA bombing works by exploiting human psychology rather than technology. Once attackers acquire a set of leaked login credentials, possibly through phishing or dark web purchases, they unleash automated tools to bombard individuals with authentication prompts.
Constantly flooding employees with notifications can lead to MFA fatigue, leaving them frustrated and, in turn, more likely to accidentally approve a fraudulent request. In some cases, hackers may also call or message individuals pretending to be IT support to pressure them into approving a login.
All it takes is one accidental approval. A single click can expose payment systems, customer data, and operational platforms – leading to ransom demands, ecommerce outages, regulatory consequences, and reputational damage.
Enhanced MFA goes a step further and analyzes the location of login attempts, the device, the operating system, and the browser used, looking for anomalies.
For example, if one request is made in London and a second request is made immediately in Vancouver, that would flag an alarm to the system administrator to investigate. By combining multiple authentication proof points, MFA can make smarter authentication decisions, flag suspicious logins while enabling legitimate users to proceed without additional verification.
How phishing-resistant MFA offers further protection
Phishing-resistant MFA is an additional advanced security method that uses cryptography to stop attackers from stealing or intercepting login credentials, even if they trick someone into entering them on a fake website. The solution moves beyond traditional, phishable methods like SMS codes or push notifications that require user-initiated approvals entirely. Instead, authentication happens automatically and cryptographically between the user’s device and the legitimate service, so attackers can’t overwhelm users with prompts or trick them into tapping “approve.”
As recommended by government agencies, including CISA, the gold standard in phishing-resistant MFA is FIDO2, the latest standard developed and published by the FIDO Alliance – a group that develops and publishes technical specifications for passwordless authentication. FIDO2 combines WebAuthn – the browser/server standard, and CTAP2 – how security keys or devices talk to the browser. Together, they enable passwordless or strong MFA using cryptographic keys. FIDO2 cryptographic passkeys mean that the private key stays securely on your device, while the public key is registered with the service.
Because these cryptographic keys are bound to the legitimate website or app domain, even if a user is tricked by a fake login page, their device won’t complete the authentication because the domain doesn’t match the one the passkey was created for. FIDO2 fundamentally removes the conditions phishing relies on. Instead of trying to detect or block phishing, FIDO2 makes phishing technically ineffective, removing the onus from the user and leading to a better experience and stronger security.
From basic tactic to strategic business enabler
Organizations that take a concerted approach to combating MFA bombing and the subsequent fatigue can experience a strategic and business advantage, especially when selling to highly regulated sectors.
Phishing-resistant MFA is recommended by national cybersecurity bodies to counter the rise of MFA-related phishing attacks popularized by the Scattered Spider group. CISA and others recently released a joint advisory, outlining key actions for organizations to take. Aligning closely with established best practices, it includes strong password hygiene and educating and training users to recognise suspicious MFA activity and the risks associated with approving suspicious login requests.
MSPs and resellers who can help with the educational piece and implement MFA that aligns with the user experience to ensure uptake and compliance will be able to add particular value to their customers, who know that the human element is always going to be an unpredictable challenge.
MFA remains the most proactive tool for combatting the most common and pervasive cyberattacks. When strengthened with enhanced, phishing-resistant technologies, MFA can evolve from a must-have security requirement to a strategic enabler. It protects users, protects critical systems, safeguards customer data, reinforces brand trust, and supports shareholder value.
In summary, the simplest thing a business can do to protect itself is to deploy MFA, and for channel partners, it’s a great starting point from which to explore further conversations with customers about their access management needs and wider security solutions.
Securing the supply chain: Why zero trust and recovery readiness are non-negotiable
Ransomware protection for all: How consumption-based subscription models can lower the entry point for cyber resilience
Harnessing AI to secure the future of identity
Phantom firms: The rise of fraudulent cybersecurity vendors
Redefining resilience: Why MSP security must evolve to stay ahead
Ransomware is on the rise. Again
Poised for the future: Key cybersecurity growth opportunities for MSPs
In the age of all-in-one platforms, how can partners avoid becoming interchangeable?
