Deploying multi-factor authentication (MFA) isn’t a switch you flip overnight—it’s a gradual process that prioritizes privileged accounts and selects phishing-resistant methods. Here’s how to avoid internal resistance, which technologies to use (and which to avoid), and why open-source tools like Authelia or Keycloak can be as effective as Okta—without vendor lock-in.

Why SMS is an obsolete MFA method (and what NIST says about it)

In 2016, NIST SP 800-63B (Digital Identity Guidelines) formally discouraged the use of SMS as a second authentication factor. The reason is technical: text messages travel over SS7 networks, a 1970s telephony protocol that lacks encryption and is vulnerable to attacks like SIM swapping or interception in transit. A 2023 CISA report (Phishing-Resistant MFA) confirmed that 80% of successful MFA attacks in the past year exploited SMS-based or push-notification methods without cryptographic verification.

In Latin America, where SIM swapping is a recurring attack vector (documented cases in Mexico and Brazil in 2022, according to the OAS), relying on SMS is like leaving the door ajar. Yet many companies continue using it out of inertia—it’s the method "everyone knows." Transitioning to more secure alternatives requires a plan that combines technology, communication, and prioritization.

MFA methods: TOTP, FIDO2, and push with cryptographic verification (and their trade-offs)

Choosing an MFA method isn’t trivial. Each option has advantages, limitations, and specific use cases. Here’s a technical breakdown:

At CyberShield, we’ve verified that companies combining FIDO2 for privileged accounts and TOTP for the rest achieve a balance between security and usability. A common mistake is imposing FIDO2 on everyone from day one—this creates resistance and may lead employees to stash keys in a drawer (or worse, tape them to a monitor).

Gradual deployment: why start with privileged accounts (and how to do it)

Eighty percent of security incidents begin with the compromise of a privileged account (IBM Cost of a Data Breach 2023 report). That’s why the first step isn’t enabling MFA for everyone, but for:

  1. System administrators (access to servers, databases, control panels).
  2. Developers (access to code repositories, staging/production environments).
  3. Executives (corporate email, sensitive documents).

A proven approach is as follows:

  1. Weeks 1-2: Pilot with the IT team.
    • Select 5-10 technical users to test the chosen MFA method (e.g., FIDO2).
    • Document issues (e.g., "YubiKey doesn’t work on Linux with Firefox").
    • Create an internal guide with screenshots and detailed steps.
  2. Weeks 3-4: Extend to privileged accounts.
  3. Use tools like pam_u2f (Linux) or Windows Hello for Business to integrate FIDO2 into OS login.
  4. For cloud services (AWS, Azure), enable conditional MFA: only request the second factor if access comes from an unrecognized IP.
  5. Weeks 5-8: Rest of the organization.
  6. For non-technical teams, use TOTP or push (less friction).
  7. Temporarily exclude users with critical operational roles (e.g., 24/7 technical support) until edge cases are resolved.

A concrete case: An SME in Colombia that implemented this approach reduced unauthorized access attempts by 92% in three months, according to data we’ve documented at CyberShield. The key wasn’t forcing the change but facilitating it: YubiKeys were distributed with printed instructions, and an "MFA ambassador" was designated in each team to address questions.

MFA tools: Authelia, Keycloak, and Authentik vs. Okta/Duo (and when to choose each)

The market offers MFA solutions for all budgets and needs. Here’s a comparative analysis:

Tool Type Supported methods Advantages Limitations Cost (LATAM SMEs)
Authelia Open-source TOTP, WebAuthn, push (with integration) Self-hosted, lightweight, ideal for environments with in-house infrastructure. Integrates with Traefik/Nginx. Requires technical configuration. No official support for advanced hardware keys (e.g., YubiKey with PIV). Free (infrastructure costs only).
Keycloak Open-source TOTP, WebAuthn, push, SMS (not recommended) Supports OIDC/OAuth2, scalable, good documentation. Used by companies like Red Hat. Steep learning curve. The admin interface is complex for non-technical users. Free (community version).
Authentik Open-source TOTP, WebAuthn, push, Duo, SMS Modern interface, customizable registration flow, good LDAP/Active Directory integration. Smaller community than Keycloak. Some advanced features require the enterprise version. Free (community version).
Okta SaaS TOTP, WebAuthn, push, SMS, biometrics Polished user experience, integrates with hundreds of apps. 24/7 support. High cost for SMEs (from $3 USD/user/month). Vendor lock-in. From $3 USD/user/month.
Duo Security SaaS Push, TOTP, WebAuthn, SMS, phone call Easy to implement, good integration with Cisco. Universal Prompt reduces friction. Dependence on an external provider. Per-user pricing can scale quickly. From $3 USD/user/month.

Recommendations by scenario:

How to handle resistance to change (and prevent the team from "hacking" MFA)

Resistance to MFA isn’t a technical problem—it’s a human one. The most common arguments we hear in Latin America are:

Strategies to counter them:

  1. Focus on the "why":
    • Show real attack cases in the region (e.g., the 2021 hack of Colombia’s Superintendencia de Industria y Comercio, which began with a phishing email to an employee without MFA).
    • Explain that MFA isn’t an IT whim but a cyber insurance requirement (more insurers are demanding MFA to cover incidents).
  2. Reduce friction:
    • For remote teams, use methods that don’t require hardware (e.g., TOTP with Authy, which allows cloud backups).
    • Implement conditional MFA: only request the second factor if access is from an unrecognized IP or new device.
    • Allow "remember device" for 30 days for trusted users.
  3. Anticipate failures:
    • Create a clear process for access recovery (e.g., a printed backup code stored in a sealed envelope in HR).
    • For hardware keys, purchase an additional 10% as backups and store them securely.
    • Designate "superusers" who can unlock accounts in emergencies (with mandatory auditing).
  4. Gamify adoption:
    • Create a "leaderboard" for teams using MFA the most (without exposing sensitive data).
    • Offer a symbolic reward (e.g., a day off) to the team that completes the transition first.

A mistake we frequently see is ignoring objections. If an employee says, "I don’t have room on my keychain," the solution isn’t to insist but to offer alternatives: a YubiKey Nano (which fits flush in a USB port) or a keychain with space for multiple keys. Security shouldn’t be an obstacle—it should be an enabler.

What to do when MFA fails: contingency plans and recovery

No system is infallible. Even with MFA, failures can occur:

A contingency plan should include:

  1. Backup codes:
    • Generate 10 single-use codes per user and store them securely (e.g., in a password manager like Bitwarden or a physical envelope).
    • Rotate codes every 6 months.
  2. Temporary alternative method:
    • Allow users to configure a second MFA method (e.g., TOTP + push) as a backup.
    • For hardware keys, register two keys per user (one primary and one backup).
  3. Recovery process:
    • Define a clear flow for access recovery (e.g., identity validation with a supervisor + backup code).
    • Document the process in a runbook accessible to the IT team.
  4. Attack monitoring:
    • Alert on failed MFA attempts (e.g., more than 3 in 5 minutes).
    • Temporarily block accounts with suspicious patterns (e.g., multiple rejected push notifications followed by an acceptance).

A concrete example: In 2022, an CyberShield client in Argentina suffered an MFA fatigue attack against its CEO. The attacker sent 50 push notifications in an hour until the executive, exhausted, accepted one. The solution was to implement a limit of 3 notifications per hour and require an additional TOTP code for access from unrecognized IPs. The attack was stopped without affecting productivity.

Implementing MFA doesn’t end with deployment. It requires continuous monitoring, adjustments based on feedback, and a culture that sees security as a process, not a product. Companies that achieve this not only reduce risks but also gain agility: by eliminating dependence on complex passwords, teams can focus on what truly matters.

In an environment where 61% of data breaches involve compromised credentials (Verizon DBIR 2023 report), MFA isn’t optional—it’s a necessity. The question is no longer whether to implement it but how to do so without stalling the team. The answer lies in combining the right technology, smart prioritization, and change management. The tools exist; the challenge is using them judiciously.

Sources

  1. NIST Special Publication 800-63B (2017). Digital Identity Guidelines: Authentication and Lifecycle Management. URL: https://pages.nist.gov/800-63-3/sp800-63b.html.
  2. CISA (2023). Implementing Phishing-Resistant MFA. URL: https://www.cisa.gov/resources-tools/services/phishing-resistant-mfa.
  3. IBM Security (2023). Cost of a Data Breach Report 2023. URL: https://www.ibm.com/reports/data-breach.
  4. Verizon (2023). 2023 Data Breach Investigations Report. URL: https://www.verizon.com/business/resources/reports/dbir.
  5. OAS-CICTE (2022). Cybersecurity Report in Latin America and the Caribbean. URL: https://www.oas.org/es/sms/cicte/docs/Informe-Ciberseguridad-2022.pdf.
  6. Authelia Documentation (2024). Multi-Factor Authentication. URL: https://www.authelia.com/docs/configuration/authentication/.
  7. Keycloak Documentation (2024). Two-Factor Authentication. URL: https://www.keycloak.org/docs/latest/server_admin/#_two_factor.
  8. Public case: Superintendencia de Industria y Comercio de Colombia (2021). Security Incident Announcement. URL: https://www.sic.gov.co/noticias/sic-informa-sobre-incidente-de-seguridad-informatica.