Multi-factor authentication: essential, but not all factors are equal
SMS MFA was good in 2014 and risky in 2026. Here is how to ladder up to phishing-resistant factors without breaking your help desk.
Multi-factor authentication (MFA) reduces account takeover risk by 99 percent or more, per Microsoft and Google research. But the strength varies sharply by factor. SMS one-time codes can be intercepted by SIM swap attacks — documented at multiple Azerbaijani mobile operators in recent years — and by SS7 protocol abuse. Push notifications without number-matching are vulnerable to MFA fatigue (push bombing). TOTP from an authenticator app and SMS are both phishable through Adversary-in-the-Middle proxies like Evilginx.
Phishing-resistant MFA is the modern standard. FIDO2/WebAuthn factors — hardware keys (YubiKey, Google Titan, Feitian) and platform passkeys (Apple Keychain, Windows Hello for Business, Android passkeys) — bind the cryptographic challenge to the legitimate origin. A phishing proxy on a look-alike domain cannot relay the challenge; the browser refuses. NIST SP 800-63B Authenticator Assurance Level 3 is achievable only with phishing-resistant factors plus a verifier-impersonation-resistant channel.
Deploy in tiers. Phase 1: enable any MFA for all users, prioritizing TOTP over SMS, with conditional access blocking legacy authentication protocols (POP, IMAP, basic SMTP). Phase 2: roll out FIDO2 to administrators and high-value roles — finance, executives, IT. Microsoft 365 Authentication Strength policies, Okta Authentication Policies, and Google Advanced Protection Program enforce the factor at the right scope. Phase 3: extend FIDO2 to all employees with passkeys synced via the platform.
Operational details matter. Always enroll at least two factors per user — a registered passkey plus a backup hardware key — to avoid lockouts. Define a verified-identity recovery process for lost factors that does not regress to SMS. Lock down self-service password reset to require MFA. Monitor for impossible travel and anomalous sign-ins via Azure AD Identity Protection or Okta ThreatInsight. Train the help desk to verify identity through a callback and a knowledge factor before resetting MFA — voice cloning makes "I locked myself out" calls a real attack vector.
Related reading
Privileged Access Management: the controls that protect your crown jewels
A domain admin account is more valuable than any laptop. PAM tooling stores, rotates, and audits privileged credentials so a breach does not become a takeover.
Single Sign-On architecture: SAML, OIDC, and what to choose
SSO is not just convenience — it centralizes authentication, enables MFA enforcement, and shrinks your attack surface. Here is the technical landscape.
Passwordless authentication: passkeys, hardware keys, and what to deploy now
Passkeys reached critical mass in 2025. The technical foundations, deployment patterns, and pitfalls for Azerbaijani enterprises that want to leave passwords behind.