Understanding MFA
Multi-Factor Authentication requires users to provide two or more independent authentication factors from different categories: knowledge factors (passwords, PINs), possession factors (mobile devices, hardware tokens, smart cards), and inherence factors (fingerprints, facial recognition). By combining factors from different categories, MFA ensures that compromising a single factor (such as a stolen password) is insufficient to gain access.
MFA methods vary significantly in security strength. SMS-based codes are the weakest common form, vulnerable to SIM swapping and interception. Authenticator apps (TOTP) provide stronger protection. Hardware security keys (FIDO2/WebAuthn) offer the strongest protection, providing phishing-resistant authentication that cannot be intercepted or replayed by attackers.
MFA Impact on Security
MFA blocks over 99% of automated credential attacks. Given that stolen credentials are involved in over half of all data breaches, MFA is one of the single most effective security controls an organization can implement. It is now a baseline requirement for cyber insurance, a standard expectation in compliance frameworks, and a fundamental component of Zero Trust architecture.
MFA Requirements for San Diego Businesses
Every major compliance framework relevant to San Diego businesses requires or strongly recommends MFA. HIPAA expects MFA for ePHI access. SOC 2 requires it as a standard control. PCI-DSS mandates it for remote access and admin access to cardholder data. CMMC requires phishing-resistant MFA for privileged accounts. Cyber insurance applications now routinely require MFA on all remote access, email, admin accounts, and cloud services -- applications without MFA face higher premiums or denial of coverage.