Account MFA Factors
Organizations often lack comprehensive visibility into the Multi-Factor Authentication (MFA) factors used across their environment, resulting in risks that include the following:
-
Security Gaps: Accounts without MFA or using weak methods (e.g., SMS-based) are more susceptible to compromise.
-
Compliance Risks: Difficulty in enforcing and auditing strong authentication policies across all users.
-
User Risk Management Challenges: Inability to easily identify high-risk user accounts that rely on weak or outdated MFA methods.
Viewing MFA Factors
To view an account's MFA factors, follow this procedure:
-
From the left navigation menu, select Inventories.
-
Select Identities.
-
On the Identities page, select Accounts.
-
Select an Identity.
-
On the panel that opens to the right, select the MFA Factors tab to view this information:
-
Factor Name: As reported by the source system (e.g., mobilePhone in Entra).
-
Type: Normalized format (e.g., SMS/Voice, Authenticator App).
-
Strength: The security level (e.g., Strong, Weak).
-
Recommendation: Ensure robust protection by enabling only MFA factors classified as Strong.
MFA Factor Types and Risks
Strong
-
Authenticator App: Requires manual entry of a time-based code, reducing susceptibility to automated attacks.
-
FIDO2: Enforces user presence with hardware-backed credentials.
Moderate
-
Push-Based Authentication: Subject to push fatigue—users may approve prompts without scrutiny.
Weak
-
SMS/Voice: Vulnerable to SIM-swapping and phishing attacks.
-
Email: Risky if the email account is compromised.
Security Check: Disable Weak MFA Factors for All Users
To prevent unauthorized access and align with best practices for identity protection, disable weak factors for all user accounts—such as SMS/Voice or Email methods–—and enable only strong MFA methods, such as Authenticator App and FIDO2.