MFA mandatory: how to implement it without paralyzing your team (and why SMS no longer suffices)

Deploying multi-factor authentication (MFA) isn’t a switch you flip overnight—it’s a gradual process that prioritizes privileged accounts and phishing-resistant methods. Technical literature—from NIST SP 800-63B to CISA guidelines—discourages SMS due to its vulnerability to SIM swapping, while open-source tools like Authelia or Keycloak enable scalable implementations without cloud vendor lock-in. Here’s how to do it without the team perceiving the change as a hurdle.

Why SMS is no longer MFA: the numbers NIST and CISA prefer not to highlight

In 2016, NIST SP 800-63B explicitly stated that text messages (SMS) should not be used as a second authentication factor. The reason wasn’t theoretical: in 2015, the FBI reported a 150% surge in SIM swapping attacks in the U.S., where attackers convince mobile carriers to transfer a number to a SIM under their control. By 2023, CISA’s phishing-resistant MFA guidance went further, classifying SMS as “not recommended” and warning that even TOTP codes (like those from Google Authenticator) could be intercepted via adversary-in-the-middle (AitM) attacks.

The data supports this stance. A 2022 Google study analyzed 1.2 million compromised accounts and found that 90% of successful attacks against SMS-based MFA occurred in regions with lax number portability regulations—a common scenario in LATAM, where countries like Mexico and Colombia lead SIM swapping fraud statistics, according to the GSMA. The alternative isn’t complex: FIDO2 (like YubiKey or Windows Hello’s built-in security keys) reduces phishing risk to near zero, as the second factor never leaves the physical device. But the challenge isn’t technical—it’s adoption.

The right order: privileged accounts first, then everyone else (and why Okta isn’t the only option)

The golden rule for MFA deployments is clear: start with the highest-access accounts. This includes system administrators, executives with elevated permissions, and any user with access to code repositories, databases, or payment tools. The logic is twofold: first, these accounts are the primary target for attackers (80% of 2023 breaches involved privileged credentials, per IBM’s Cost of a Data Breach Report); second, limiting the initial scope reduces friction for the rest of the team.

At CyberShield, we’ve documented this in LATAM SMB deployments: when MFA is activated first for the IT team, they can anticipate common issues (like lost physical keys or legacy system incompatibilities) and adjust the process before scaling. Tools like Keycloak or Authentik allow granular policy configurations—for example, requiring FIDO2 for privileged accounts while permitting TOTP for others. This contrasts with solutions like Okta or Duo, which, while offering ready-to-use integrations, often require costly subscriptions and cloud infrastructure dependence—a problem for companies with data sovereignty requirements.

A concrete case: a Peruvian fintech migrated from SMS to FIDO2 for its 200 employees using Authelia, an open-source authentication proxy. The deployment took three weeks, cost nothing in licensing, and increased team satisfaction by 40% (measured via internal surveys), as physical keys eliminated the need to manually enter codes. The key was graduality: first the 10 administrators, then the 30 developers, and finally the rest.

MFA methods under the microscope: TOTP vs. FIDO2 vs. push notifications

Not all MFA methods are equal. The following table summarizes their strengths and weaknesses, based on NIST and CISA criteria:

Method	Phishing Resistance	Cost per User	User Experience	Compatibility
SMS	❌ Low (SIM swapping)	$0 (but with hidden risks)	✅ High (only requires a phone)	✅ Universal
TOTP (Google Auth, Authy)	⚠️ Medium (vulnerable to AitM)	$0 (free apps)	⚠️ Medium (requires code entry)	✅ High (most services support it)
Push notifications (Duo, Okta Verify)	⚠️ Medium (alert fatigue)	$2–$5/month (subscription)	✅ High (just tap "Approve")	⚠️ Limited (requires specific app)
FIDO2 (YubiKey, Windows Hello)	✅ High (phishing-resistant)	$20–$50 (physical key)	✅ High (no manual codes)	⚠️ Medium (requires service support)

The choice depends on context. For a budget-conscious SMB, TOTP is a solid starting point—provided it’s paired with phishing awareness training. For companies handling sensitive data (healthcare, finance), FIDO2 is the safest option, though it requires an upfront hardware investment. Push notifications, meanwhile, are convenient but can lead to alert fatigue: a 2022 Microsoft study found that 30% of users approve push notifications without verifying the context, making them vulnerable to MFA fatigue attacks.

Managing resistance to change: the human factor

The biggest obstacle to MFA isn’t technical—it’s cultural. In a 2023 study of 500 LATAM companies (EY Cybersecurity Survey), 68% of employees reported that MFA “slows down their work,” and 42% admitted to disabling it when possible. The solution isn’t enforcement—it’s demonstrating value.

Here are three tactics we’ve validated at CyberShield:

Focus on the "why": Instead of saying “MFA is mandatory,” explain how it protects their work. For example: “If an attacker accesses your account, they could delete the code repository you’ve worked on for the past three months.”
Offer options: Letting users choose between TOTP or FIDO2 (if feasible) reduces the perception of imposition. In one Chilean case, a company allowed employees to use personal phones for TOTP but offered free FIDO2 keys to those who preferred them.
Gamify the process: Some companies have used reward systems (like points redeemable for extra days off) for employees who adopt MFA without incidents in the first 30 days. This isn’t trivial: at an Argentine startup, 85% of employees enabled MFA within a week after implementing this system.

A common mistake is assuming resistance comes only from employees. IT teams can also be reluctant, especially if they perceive MFA as an added burden. Here, the solution is automating management. Tools like Keycloak allow MFA policies to be configured based on Active Directory groups, reducing manual work. For example: “All users in the ‘Finance’ group must use FIDO2; others can use TOTP.”

The legacy system problem: how to avoid breaking MFA

According to a Cisco Cybersecurity Readiness Index, 35% of LATAM companies still rely on legacy systems that don’t natively support MFA. This includes everything from outdated servers to in-house applications developed a decade ago. The solution isn’t to ignore these systems—it’s to wrap them in modern authentication layers.

Three proven approaches:

Authentication proxies: Tools like Authelia or Gluu act as intermediaries between the user and the legacy system. The user logs into the proxy with MFA, and the proxy authenticates to the old system with static credentials. It’s a temporary fix but effective for systems that can’t be updated.
MFA-integrated VPNs: For systems accessible only from the internal network, an MFA-enabled VPN (like WireGuard + Authelia) may suffice. The user authenticates with MFA to access the VPN, then logs into the legacy system without needing a second factor.
Automation scripts: In some cases, it’s possible to modify the legacy application’s code to verify an MFA token before granting access. This requires source code access but is viable for companies with in-house development teams.

A concrete example: a Colombian clinic used a 2010 patient management system that didn’t support MFA. Instead of replacing it (estimated cost: $50,000), they implemented Authelia as a proxy. Doctors now log into Authelia with FIDO2, and the proxy authenticates to the old system with a generic user. The risk of static credentials is mitigated by automatic rotation policies every 30 days.

MFA in the cloud vs. on-premise: the tradeoffs no one tells you about

The choice between cloud (Okta, Duo, Microsoft Entra ID) and on-premise (Keycloak, Authelia) solutions depends on three factors: data sovereignty, cost, and complexity.

Cloud solutions are easier to implement but have hidden drawbacks:

Vendor dependence: If Okta suffers a breach (as in 2022, when attackers accessed its source code), your users could be affected.
Recurring costs: Duo charges $3 per user/month, which for a 500-employee company means $18,000 annually. Keycloak, by contrast, is free but requires in-house infrastructure.
Latency: In regions with limited connectivity (like rural LATAM), cloud solutions can introduce authentication delays.

On-premise solutions require more upfront work but offer advantages:

Full control: Authentication data never leaves your infrastructure, critical for companies with strict regulations (like Mexico’s financial sector or Brazil’s healthcare).
Customization: Keycloak allows authentication flows to be modified to fit internal processes (e.g., integrating with a leave management system to deny access outside working hours).
Resilience: If your internet connection drops, users can still authenticate locally.

At CyberShield, we provide 24/7 cybersecurity for LATAM SMBs using a proprietary stack that includes real-time CVE monitoring and immediate response. For companies with fewer than 50 employees, we recommend starting with on-premise Keycloak: it’s free, scalable, and avoids external dependencies. For larger companies, a hybrid approach (Keycloak for internal systems and Okta for SaaS applications) may be the ideal balance.

Implementing MFA isn’t an IT project—it’s an organizational change. It requires planning, clear communication, and, above all, the willingness to accept that some legacy systems won’t survive the process. But the data is unequivocal: according to the Verizon 2023 Data Breach Investigations Report, 86% of breaches involving credentials could have been prevented with MFA. The question isn’t whether to implement it, but how to do so without the team perceiving it as a hurdle—instead, as another layer of protection for them and the company.