Back to BlogSecurity

MFA Best Practices for 2024

Modern multi-factor authentication strategies that balance security and user experience.

J
Jordan Lee
CTO
December 20, 2023
7 min read

Introduction

Multi-Factor Authentication (MFA) is no longer optional—it's table stakes for any organization serious about security. But as threats evolve, so must our MFA strategies. This guide covers the best practices for implementing MFA in 2024, including which methods to use, which to avoid, and how to balance security with user experience.

The Evolution of MFA

The Old Days: Something You Know + Something You Have

Traditional MFA combined passwords with hardware tokens (RSA SecurID) or SMS codes. This was a significant improvement over passwords alone.

Today: Smarter, Stronger, More Usable

Modern MFA leverages:

  • Biometrics
  • Push notifications
  • Hardware security keys
  • Passwordless authentication
  • Risk-based adaptive MFA

MFA Methods: A Security Comparison

Tier 1: Strongest (Recommended)

FIDO2/WebAuthn Hardware Keys

  • Examples: YubiKey, Google Titan Key
  • Phishing-resistant by design
  • No shared secrets
  • Works offline
  • Best for: High-security accounts, privileged users

Passkeys

  • Built on WebAuthn standard
  • Synced across devices (unlike hardware keys)
  • Phishing-resistant
  • Excellent user experience
  • Best for: Broad rollout, consumer applications

Platform Authenticators

  • Windows Hello, Touch ID, Face ID
  • Biometric + device binding
  • Seamless user experience
  • Best for: Corporate devices, laptop/mobile auth

Tier 2: Good (Acceptable)

Authenticator Apps (TOTP)

  • Examples: Google Authenticator, Microsoft Authenticator, Authy
  • Time-based one-time passwords
  • No network dependency
  • Vulnerable to phishing if user enters code on fake site
  • Best for: General workforce, cost-conscious deployments

Push Notifications

  • Examples: Duo Push, Microsoft Authenticator push
  • Convenient one-tap approval
  • Some phishing risk (MFA fatigue attacks)
  • Best for: General workforce with proper controls

Tier 3: Weak (Avoid if Possible)

SMS/Voice OTP

  • Vulnerable to SIM swapping attacks
  • Can be intercepted
  • Network dependency
  • Better than nothing, but should be avoided for sensitive access
  • Acceptable as: Fallback only, with monitoring

Email OTP

  • Only as secure as your email
  • Creates circular dependency
  • Network dependency
  • Acceptable as: Fallback only, low-sensitivity applications

Best Practices for 2024

1. Default to Phishing-Resistant MFA

The biggest threat to MFA today is phishing. Attackers have become sophisticated at capturing both passwords AND MFA codes in real-time using adversary-in-the-middle (AiTM) attacks.

Action items:

  • Deploy FIDO2 security keys for privileged users
  • Enable passkeys where supported
  • Implement platform authenticators for corporate devices
  • Treat TOTP/push as minimum, not aspirational

2. Combat MFA Fatigue

MFA fatigue attacks (also called "push bombing") involve spamming users with push notifications until they approve one just to make it stop.

Countermeasures:

  • Implement number matching (user must enter displayed number)
  • Show geographic location and app name in push
  • Rate limit push attempts
  • Alert on unusual patterns
  • Train users to report unexpected prompts

3. Implement Risk-Based/Adaptive MFA

Not every login needs the same level of scrutiny. Use context to determine when to step up authentication.

Risk signals to consider:

  • New device or browser
  • Unusual location or impossible travel
  • Login outside business hours
  • Accessing sensitive resources
  • Behavioral anomalies

Adaptive responses:

  • Low risk: SSO without additional MFA
  • Medium risk: Push notification or TOTP
  • High risk: Hardware key or manager approval

4. Have a Strong Fallback Strategy

What happens when a user loses their phone? Good MFA programs plan for this.

Fallback options (in order of preference):

  • Backup hardware key
  • Backup codes (stored securely)
  • Temporary bypass with manager approval
  • Identity verification via video call
  • In-person identity verification

    • Never acceptable:

    • Disabling MFA entirely
    • Permanent bypass accounts
    • Support team disabling MFA without verification

    5. Cover All Access Points

    MFA on your main application is great, but attackers will find unprotected entry points.

    Common gaps:

    • Legacy applications without MFA support
    • Admin consoles and infrastructure access
    • API access and service accounts
    • VPN and remote access
    • Email and calendar (often SSO bypass)

    Solution: Audit all access points and implement MFA consistently using SSO as the control point.

    6. Make It Easy for Users

    Security that's too hard will be circumvented. Optimize for user experience while maintaining security.

    UX best practices:

    • Offer multiple MFA methods (let users choose)
    • Remember devices for reasonable periods
    • Use biometrics where available
    • Minimize prompts for low-risk activities
    • Provide clear self-service enrollment
    • Make recovery straightforward (but secure)

    7. Monitor and Respond

    MFA isn't set-and-forget. Continuously monitor for:

    • Failed MFA attempts
    • Users disabling/changing MFA
    • Unusual enrollment patterns
    • MFA fatigue attack indicators
    • Authentication from risky locations

    MFA Enrollment Strategies

    Option 1: Mandatory Deadline

    Set a date by which all users must have MFA enrolled. Communicate early and often.

    Option 2: Gradual Enforcement

    Start with new users and high-risk accounts. Expand over time.

    Option 3: Incentivized Voluntary

    Offer benefits (reduced password requirements, etc.) for early adopters.

    Option 4: Just-in-Time Enrollment

    Prompt enrollment at next login. User can't proceed without completing.

    Our recommendation: Combination of just-in-time with a firm deadline.

    Implementing MFA with SecurePie

    SecurePie makes MFA implementation straightforward:

    • Multiple Methods - Support for FIDO2, passkeys, TOTP, push, and fallback options
    • Adaptive MFA - Risk-based authentication out of the box
    • Number Matching - Built-in protection against MFA fatigue
    • Self-Service - Users can manage their own MFA methods
    • Reporting - Full visibility into MFA adoption and issues

    Conclusion

    MFA in 2024 is about more than just adding a second factor. It's about:

    • Choosing phishing-resistant methods
    • Implementing adaptive, risk-based authentication
    • Providing excellent user experience
    • Monitoring and responding to threats
    • Covering all access points

    Start with phishing-resistant MFA for your most critical users and accounts. Then expand coverage using adaptive policies that balance security and usability.

    Need help implementing MFA? Schedule a demo to see how SecurePie can strengthen your authentication.

    Related Articles

    Guide

    The Complete Guide to Enterprise SSO for Shopify

    Everything you need to know about implementing Single Sign-On for your Shopify or Shopify Plus store.

    12 min read
    Technical

    SAML vs OAuth: Which Protocol Should You Choose?

    A deep dive into the differences between SAML and OAuth, and when to use each protocol for your authentication needs.

    8 min read
    Security

    Zero Trust Authentication for Ecommerce

    How to implement zero trust principles in your ecommerce authentication strategy to protect against modern threats.

    6 min read

    Ready to secure your Shopify store?

    Join hundreds of merchants using SecurePie for enterprise-grade SSO.

    Start Free TrialTalk to Sales