Account MFA Factors

Organizations often lack comprehensive visibility into the Multi-Factor Authentication (MFA) factors used across their environment, resulting in risks that include the following:

  • Security Gaps: Accounts without MFA or using weak methods (e.g., SMS-based) are more susceptible to compromise.

  • Compliance Risks: Difficulty in enforcing and auditing strong authentication policies across all users.

  • User Risk Management Challenges: Inability to easily identify high-risk user accounts that rely on weak or outdated MFA methods.

Viewing MFA Factors

To view an account's MFA factors, follow this procedure:

  1. From the left navigation menu, select Inventories.

  2. Select Identities.

  3. On the Identities page, select Accounts.

  4. Select an Identity.

  5. On the panel that opens to the right, select the MFA Factors tab to view this information:

    • Factor Name: As reported by the source system (e.g., mobilePhone in Entra).

    • Type: Normalized format (e.g., SMS/Voice, Authenticator App).

    • Strength: The security level (e.g., Strong, Weak).

Recommendation: Ensure robust protection by enabling only MFA factors classified as Strong.

MFA Factor Types and Risks

Strong

  • Authenticator App: Requires manual entry of a time-based code, reducing susceptibility to automated attacks.

  • FIDO2: Enforces user presence with hardware-backed credentials.

Moderate

  • Push-Based Authentication: Subject to push fatigue—users may approve prompts without scrutiny.

Weak

  • SMS/Voice: Vulnerable to SIM-swapping and phishing attacks.

  • Email: Risky if the email account is compromised.

Security Check: Disable Weak MFA Factors for All Users

To prevent unauthorized access and align with best practices for identity protection, disable weak factors for all user accounts—such as SMS/Voice or Email methods–—and enable only strong MFA methods, such as Authenticator App and FIDO2.