Multi-Factor Authentication (MFA)

Stolen credentials are the most common entry point for data breaches. MFA is the most effective single control for stopping them.

Passwords get compromised. They're reused across platforms, captured in phishing attacks, exposed in third-party data breaches, or guessed through credential stuffing. According to industry research, compromised credentials are involved in the majority of confirmed data breaches — and most of those breaches would have been stopped if the account required a second factor to authenticate.

Multi-factor authentication requires that a user prove their identity with something beyond a password — a code from an authenticator app, a hardware token, a biometric. Even when an attacker has the correct username and password, they can't authenticate without the second factor. It's one of the highest-leverage security controls available, and it remains one of the most inconsistently implemented.

Most firms that think they have MFA enabled have it partially deployed — on email, but not on the practice management system. On the VPN, but not on the cloud storage platform. We deploy and enforce MFA consistently across every system that touches your data, and we document it so the coverage is verifiable.

What's covered

• MFA deployment across all user-facing systems: email, VPN, remote access, cloud applications, and practice management platforms
• Authenticator app configuration and user enrollment with documented procedures
• Phishing-resistant MFA options (FIDO2/hardware keys) for high-privilege accounts and high-risk access scenarios
• Conditional access policy configuration — requiring MFA based on user role, device compliance status, location, and risk signals
• MFA bypass and exception management with documented justification for any exceptions
• Break-glass account procedures for emergency access without standard MFA factors
• User enrollment documentation and access review records for compliance reporting
• Monitoring for MFA fatigue attacks — detecting and responding to push notification abuse

Why this matters for your compliance program

FTC Safeguards explicitly requires multi-factor authentication for any individual accessing customer financial information. HIPAA's access control requirements are increasingly interpreted to include MFA as a required safeguard for electronic protected health information. Virtually every cyber insurance policy issued today requires MFA as a condition of coverage — and policies have been denied following incidents where MFA was not deployed on the compromised system.

MFA is not a complex or expensive control relative to the protection it provides. The firms that get breached through credential compromise after an FTC Safeguards exam or an insurance renewal are the ones where MFA was technically "in place" but never fully deployed. We make sure it's actually everywhere it needs to be — and that the documentation proves it.