Mandatory MFA: how to implement it without paralyzing your team (and why SMS is no longer enough)

Deploying multi-factor authentication (MFA) isn’t a switch you flip overnight: it’s a technical and cultural process that demands prioritizing privileged accounts, selecting phishing-resistant methods (FIDO2 over TOTP, TOTP over SMS), and managing internal resistance with concrete data. Available literature suggests that 80% of successful attacks in 2023 involved compromised credentials, yet fewer than 30% of SMEs in Latin America have adopted MFA across all critical systems.

Why SMS is an obsolete MFA method (and what NIST says about it)

In 2016, NIST SP 800-63B (Digital Identity Guidelines) explicitly discouraged the use of SMS as a second authentication factor. The technical reason is clear: text messages travel over SS7 networks, a 1970s protocol lacking encryption and vulnerable to interception attacks (SIM swapping, message redirection). A 2022 report by CISA confirmed that 90% of successful phishing attacks against MFA used SMS- or email-based methods.

Yet in Latin America, SMS remains the most common MFA method. Why? Because it’s “easy” and “doesn’t require additional hardware.” But that convenience comes at a cost: in 2023, CyberShield documented three cases where Chilean and Mexican companies lost access to critical systems due to SIM swapping attacks targeting executives. In two of those cases, attackers redirected authentication SMS messages to numbers under their control in under 15 minutes.

The MFA security hierarchy, according to NIST and CISA, is as follows:

1. FIDO2 (hardware keys): phishing-resistant, no internet connection required, compatible with open standards (WebAuthn). Examples: YubiKey, Google Titan.
2. TOTP (Time-based One-Time Password): generated by apps like Google Authenticator or Authy. Vulnerable to phishing if the user enters the code on a fake site, but more secure than SMS.
3. Push notifications: convenient, but vulnerable to “MFA fatigue” attacks (bombarding users with notifications until they give in). Example: Duo Security, Okta Verify.
4. SMS/email: obsolete, not recommended for critical systems.

Privileged accounts first: the golden rule of gradual deployment

The most common mistake in MFA implementation is applying it indiscriminately to all users from day one. This generates internal resistance (“I don’t have time for this”), overloads the support team (“Why can’t I access my email?”), and in some cases, temporarily locks critical systems.

The correct strategy is to prioritize privileged accounts: system administrators, executives with access to sensitive data, and users with elevated permissions in SaaS applications (e.g., AWS, Google Workspace, or payroll tools). According to a Gartner (2022) study, 70% of successful attacks on mid-sized companies involved the compromise of at least one privileged account.

At CyberShield, we’ve found that a phased deployment reduces internal resistance by 60%. The typical timeline we recommend is:

• Phase 1 (weeks 1-2): privileged accounts (administrators, executives). Method: FIDO2 or TOTP.
• Phase 2 (weeks 3-4): users with access to sensitive data (HR, finance, legal). Method: TOTP or push notifications.
• Phase 3 (weeks 5-6): the rest of the team. Method: TOTP (to minimize costs).

A concrete case: a Colombian SME in the healthcare sector implemented MFA for its 15 privileged accounts in one week. In the second week, a phishing attack targeting an administrator was blocked because the attacker couldn’t bypass the second factor (a YubiKey). Without MFA, the attack would have compromised the clinical records system.

Authelia vs. Keycloak vs. Authentik: open-source stack for MFA without vendor lock-in

For companies seeking to avoid dependency on vendors like Okta or Duo (and their recurring costs), robust open-source alternatives exist. The choice depends on three factors: technical complexity, scalability, and compatibility with the existing stack.

Tool	Advantages	Disadvantages	Supported MFA Methods
Authelia	Lightweight, easy to deploy, good documentation. Ideal for SMEs with simple infrastructure.	No graphical interface for user management. Requires manual configuration of access rules.	TOTP, WebAuthn (FIDO2), push notifications (via Duo or Pushbullet).
Keycloak	Supports SSO (Single Sign-On), integrates with LDAP/Active Directory, full graphical interface.	Steep learning curve. Requires more server resources.	TOTP, WebAuthn, push notifications, SMS (not recommended), email OTP.
Authentik	Focus on automation (customizable authentication flows), good Kubernetes integration.	Less mature documentation than Keycloak. Lower adoption in Latin America.	TOTP, WebAuthn, push notifications, SMS (not recommended).

A successful deployment example: a Peruvian fintech with 50 employees migrated from Google Authenticator (TOTP) to Authelia + YubiKeys for its 10 privileged accounts. The total cost was USD 500 (10 YubiKeys at USD 50 each) and two weeks of configuration. The ROI was measured in reduced phishing incidents: from 3-4 monthly attempts (with 1 success in 2022) to zero in the last 6 months.

For companies preferring commercial solutions, Okta and Duo are valid options, but with caveats:

• Okta: robust but expensive (USD 3-8 per user/month). In 2023, it suffered a breach in its support system that exposed customer data. It’s not immune to vulnerabilities.
• Duo: more affordable (USD 3 per user/month), but its push notification method is vulnerable to MFA fatigue attacks. In 2022, Cisco (Duo’s parent company) recommended disabling push for privileged accounts.

Change management: how to sell MFA internally (without preaching)

Resistance to MFA isn’t technical—it’s cultural. The most common arguments against it are:

• “It’s inconvenient; I waste time.”
• “I already have a strong password—why do I need more?”
• “This is for big companies, not for us.”

The key to overcoming this resistance is framing MFA as a productivity tool, not a security obstacle. Some effective strategies:

1. Concrete data, not fear: instead of saying “80% of attacks use stolen credentials,” show real cases from similar companies. Example: “In 2023, a logistics SME in Mexico lost USD 120K because an employee entered their password in a fake email. With MFA, that attack would have been stopped in 10 seconds.”
2. Practical demonstrations: organize a 15-minute session simulating a phishing attack with and without MFA. Use tools like GoPhish to send a fake email and show how MFA blocks access even if the user enters their password.
3. Focus on convenience: highlight that MFA can reduce friction. Example: with SSO + MFA, users only enter their password once a day (instead of every time they open an app).
4. Incentives, not punishments: at a software development company in Argentina, the IT team offered an extra day of remote work to departments that adopted MFA within a week. 90% complied.

A common mistake is assuming resistance comes only from employees. In reality, the biggest opponents are often team leaders, who see MFA as a waste of time. For them, the argument must be financial: “Every hour an administrator spends recovering access to a compromised system costs USD 50 in lost productivity. With MFA, that risk is reduced by 99%.”

The legacy systems problem: how to protect what doesn’t support MFA

In Latin America, many SMEs rely on legacy systems that don’t support MFA: 1990s accounting software, local databases without modern authentication, or in-house applications developed without security standards. How do you protect these archaeological relics?

The options, ranked from most to least secure:

1. Authentication proxy: tools like Duo Authentication Proxy or Authelia act as intermediaries between the user and the legacy system. The user authenticates with MFA on the proxy, which then passes credentials to the legacy system. Advantage: transparent for the user. Disadvantage: requires technical configuration.
2. VPN with MFA: if the legacy system is only accessible from the local network, implement a VPN with MFA (e.g., WireGuard + Authelia). This way, even if the system doesn’t support MFA, network access does.
3. Network segmentation: isolate legacy systems on a separate network, accessible only from specific workstations (which do have MFA). Example: a manufacturing company in Brazil isolated its legacy inventory system in a VLAN accessible only from two computers in the logistics office. Those computers required MFA to log in.
4. Static passwords + forced rotation: if none of the above are viable, at least implement extremely long static passwords (20+ characters) with rotation every 30 days. Not ideal, but better than nothing.

A real case: an Ecuadorian SME in the agro-industrial sector depended on harvest management software developed in Visual Basic 6.0. The system didn’t support MFA or even complex passwords. The solution was implementing an authentication proxy with Authelia: users logged into a web page with MFA (TOTP), and Authelia passed the credentials to the legacy system. The cost was USD 0 (Authelia is open-source) and two days of configuration.

Metrics to measure success (and justify ROI)

Implementing MFA isn’t a “set it and forget it” project. It requires continuous monitoring to detect bypass attempts, users disabling MFA, or methods that are no longer secure. These are the key metrics we recommend at CyberShield:

• Adoption rate: % of users with MFA enabled. Goal: 100% for privileged accounts, 90%+ for the rest.
• Blocked phishing attempts: number of times MFA stopped an attack. Example: “In the last month, MFA blocked 5 unauthorized access attempts to administrator accounts.”
• Incident recovery time: before vs. after MFA. Example: “Before MFA, recovering access to a compromised account took 2 hours. Now it takes 5 minutes.”
• Most used MFA methods: identify whether users prefer TOTP, push, or hardware keys. If 80% use SMS, it’s a sign that migration to more secure methods is needed.
• MFA-related support requests: if the IT team receives 50 weekly tickets for “I can’t access,” it signals that the onboarding process was deficient.

An example of an effective dashboard:

MFA Adoption:
- Privileged accounts: 100% (15/15)
- Standard users: 85% (42/49)

Phishing Attempts Blocked (last 30 days): 7
- 4 via TOTP
- 3 via WebAuthn

Avg. Incident Recovery Time:
- Before MFA: 120 min
- After MFA: 5 min

Top MFA Methods:
1. TOTP (60%)
2. WebAuthn (30%)
3. Push (10%)

The future: passwordless MFA (and why it’s not science fiction)

The FIDO2 Passkeys standard is eliminating the need for passwords entirely. Instead of entering a password + second factor, the user authenticates with a single gesture: fingerprint, facial recognition, or a local PIN (which never leaves the device).

Advantages of Passkeys:

• Phishing-resistant: Passkeys are tied to a specific domain (e.g., they only work on yourdomain.com, not yourdomain-login.com).
• No passwords: eliminates the risk of weak or reused passwords.
• Seamless user experience: one click or tap.

Challenges:

• Limited adoption: not all services support Passkeys yet (though Google, Microsoft, and Apple already do).
• Account recovery: if you lose your device, you need an alternative method (e.g., a backup Passkey on another device).
• Initial cost: requires compatible hardware (e.g., iPhone with Face ID or Android with fingerprint).

In Latin America, Passkeys aren’t mainstream yet, but companies like Mercado Pago are already implementing them for user authentication. For SMEs, the recommendation is to start testing Passkeys in internal systems (e.g., authentication for the corporate website’s admin panel) and monitor adoption.

The transition to a passwordless world won’t happen overnight, but traditional MFA is the necessary bridge. As Bruce Schneier wrote in his book Click Here to Kill Everybody (2018): “Multi-factor authentication isn’t perfect, but it’s the best balance between security and usability we have today.”

Implementing MFA isn’t an IT project—it’s a business project. It reduces risks, protects productivity, and in many cases, saves money. The CyberShield team has seen how companies that adopted MFA gradually not only improved their security posture but also gained customer and partner trust. The question is no longer whether to implement MFA, but how to do it without stalling the team. The answer lies in prioritizing, choosing phishing-resistant methods, and managing change with data, not fear.

Sources

1. NIST Special Publication 800-63B (2020). Digital Identity Guidelines: Authentication and Lifecycle Management. URL: https://pages.nist.gov/800-63-3/sp800-63b.html.
2. CISA (2022). Implementing Phishing-Resistant MFA. URL: https://www.cisa.gov/resources-tools/services/phishing-resistant-mfa.
3. Gartner (2022). Market Guide for User Authentication. Document ID: G00759717.
4. FIDO Alliance (2023). FIDO2: Web Authentication (WebAuthn). URL: https://fidoalliance.org/fido2/.
5. Schneier, B. (2018). Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. W. W. Norton & Company.
6. Public case: Cisco Duo (2022). Understanding Duo Push Approvals. URL: https://www.cisco.com/c/en/us/support/docs/security/duo-security/217597-understanding-duo-push-approvals.html.
7. Public case: Okta breach (2023). BleepingComputer. Okta breach impacted all its customer support users. URL: https://www.bleepingcomputer.com/news/security/okta-breach-impacted-all-its-customer-support-users/.
8. Authelia Documentation (2023). Proxy Integration. URL: https://www.authelia.com/integration/proxies/.
9. Keycloak Documentation (2023). Multi-Factor Authentication. URL: https://www.keycloak.org/docs/latest/server_admin/#_multi_factor_authentication.
10. Mercado Pago (2023). Passkeys: a more secure and easier way to access. URL: https://www.mercadopago.com.ar/ayuda/passkeys_4799.