How to MFA everywhere

What makes you, you? In the physical world, identity is layered with memories, choices, and relationships. Online, all that is stripped away. To a computer, you are not your story. You are a login. A password. A browser cookie. A code was sent to your phone. And if an attacker can obtain those same fragments, the system treats them as you.

Identity online is not who you are; it is what the system accepts as proof of you, and that gap is exactly what the attackers take advantage of. Across devices, networks, and SaaS platforms, what is accepted as proof will vary greatly. That inconsistency is where attackers thrive, bypassing weak or uneven multi-factor authentication (MFA) implementations and exploiting the cracks between systems.

For managed service providers (MSPs), this fragmentation isn’t just a challenge. It gives them an opportunity to deliver differentiated identity protection services that will unify and strengthen what their customers are struggling to do on their own.

Why MFA matters and why it’s often misunderstood

Most people still think of identity as a username and password. But that is like locking your front door with a simple latch. It might keep the wind out, but it will not stop a burglar. MFA is supposed to fix that by requiring more than one type of proof, typically something you know, something you have, or something you are. PINs, biometrics, push approvals, hardware keys, and device checks all fall into these categories.

Latest Videos From

Watch full video here:

However, not all factors are created equal. A unique, strong PIN is a lot better than a four-digit code that is reused everywhere. A fingerprint scan backed by the secure hardware on modern iPhones is better than the old swipe pattern on an Android screen that anyone could smudge-trace. A FIDO2 hardware key is significantly more resistant to attack than SMS codes that are inherently vulnerable to SIM swaps.

For MSPs, the ability to help customers understand the strongest versions of these factors, combined with what works for the business, and then guiding them toward the right combinations, is a powerful value-add.

Where MFA works well and where it breaks

The challenge for MSPs is that MFA isn’t consistent across platforms. Each login will have its own rules, capabilities, and points of failure, which is why simply “turning on MFA” rarely means true protection.

When it comes to mobile devices, at the lock screen, Apple and Google only allow a single factor - a PIN/passcode or biometric. You can’t stack multiple MFAs before the unlock. Strong passcodes and secure biometrics are the best you can enforce. Then, if the device is stolen, remote lock or wipe are the only remaining controls.

Desktops and laptops give you more options. Windows Hello, Touch ID, and passwords form the base layer. MSPs will be able to add second factors for their customers, such as push approvals or hardware keys. Hardware tokens also introduce revocation and re-issuance workflows that MSP customers often can’t manage alone.

Wi-Fi and office networks typically authenticate with either passwords or certificates. Passwords are easier for onboarding and change, but they’re also easier to phish. Certificates bind identity to a device and are more secure, but revoking them after compromise can be complex. This means MSPs must ensure that they balance security with operational overhead. The ability to do this well is itself a differentiator.

VPNs provide the greatest flexibility. MSPs can enforce multiple checks, such as passwords, MFA challenges, device posture, and even behavioural signals, before granting access. Because VPNs often serve as a gateway to sensitive resources, strengthening authentication here is important.

SaaS applications are where identity is most fragmented and also where attackers often strike first. Some apps support WebAuthn and FIDO keys; others support only passwords or basic MFA. Working with a centralized identity provider will enable MSPs to unify these experiences, enforce consistent MFA, and block the credential-stuffing and session-hijacking attacks that plague cloud services.

Context, behavior, and devices

Beyond basic MFA, there are contextual and behavioral factors such as your location, your device health, and your activity patterns. These may add even more strength, but support varies widely.

Mobile lock screens offer strong biometrics but limited context awareness; operating systems may allow geo-location checks or behavioral signals, but it is inconsistent; network infrastructure can evaluate IP or traffic patterns, but rarely user identity context; SaaS platforms may support conditional access, but only if tied into the right identity provider.

For any of this to work, MSPs must also manage device posture. This means OS updates, app patching, certificate health, domain join status, NAC policies, and more. Compromise will often need revoking not only user credentials but also device-based trust. This is something customers are often unprepared for. MSPs add value when they can step in with managed identity lifecycle services.

MFA everywhere is harder than it sounds

It is tempting to think MFA is just a feature you turn on that makes you more secure. But every platform has limitations. Some factors can be reset with a click. Others, such as certificates or hardware keys, need careful revocation workflows. Some support modern, context-aware signals, others don’t.

Attackers know this and specifically target the weakest link, for example, a phishable Wi-Fi password, an unprotected SaaS login, or a stolen session cookie that bypasses MFA entirely.

MSPs, however, can see across the whole environment. They can:

• Map where identity is weak or fragmented
• Recommend the strongest possible factor for each context
• Unify authentication through an IdP
• Manage factor resets, revocation, and device health
• Deliver identity protection as a recurring service with clear value

And this is where the real differentiation for MSPs is possible.

Identity won’t be perfect, but consistency and coverage are practical goals MSPs can deliver today. Start with an identity map and a pilot on high-risk users and apps.

By mapping where identity is weakest, centralizing authentication through an IdP, enforcing strong, context-aware factors, and owning revocation and device posture, MSPs turn MFA into a dependable, recurring service. The result for customers will be fewer breaches, faster recovery, and lower helpdesk churn. And for the MSP, it is new recurring revenue.