Why Multi-Factor Authentication (MFA) Is No Longer Optional
Passwords are still necessary, but they are no longer sufficient. Using long, unique, and hard-to-guess passphrases remains best practice. The problem is what happens when one of those passwords falls into the wrong hands: the system doesn’t detect an intrusion—it simply sees a legitimate login. From that point on, the attacker moves through the environment like any other user.
This is not a theoretical scenario. The campaign targeting Snowflake customers in 2024 made that clear: attackers used credentials stolen via infostealer malware to access accounts that did not have MFA enabled. Without exploiting any vulnerabilities. Without any sophisticated techniques. Just a username, a password, and an open door. The result: more than 165 organizations compromised, including companies such as Ticketmaster, Santander, and AT&T, according to research published by Mandiant.
And this wasn’t an isolated case. In early 2026, Dark Reading reported on a similar campaign in which a single actor compromised around 50 companies by accessing collaboration platforms including ShareFile and Nextcloud. The same pattern: credentials stolen through infostealers and accounts without MFA enabled. The common denominator isn’t the sophistication of the attack, but the absence of a basic security control.
A Problem with Adoption, not Technology
Multi-factor authentication isn’t new. The technology exists, it’s accessible, and its effectiveness is proven. According to figures from Microsoft, using MFA reduces the risk of account compromise by 99.2%. Why, then, hasn’t it been widely adopted?
The global MFA survey by the Cyber Readiness Institute (2024), covering nearly 2,300 SMBs, reveals that almost two-thirds do not use MFA. The global adoption rate sits at just 35%. The most commonly cited barriers are cost, lack of resources and, above all, the perception that it isn’t a priority.
This isn’t a problem that only affects SMBs. The large organizations compromised in the Snowflake incidents weren’t companies lacking security resources. They were organizations with teams, budgets, and mature cybersecurity programs that simply hadn’t enabled MFA across all of their services.
What MFA Delivers in Practice
MFA adds a second verification factor that prevents a stolen password from being enough to access an account. That’s the core benefit. In practice, however, the impact goes further.
When applied consistently, MFA limits an attacker’s ability to move laterally within the network. Each attempt to access a new service or resource requires additional verification, significantly reducing the impact of a security breach.
Today's MFA solutions don’t just prompt for a code. Many evaluate the context of the access request—such as the device being used, the user’s location, and the network they’re connecting from—to adjust the level of verification based on the actual risk. This makes it possible to secure remote access without relying exclusively on VPNs or the network perimeter.
From a business perspective, MFA also supports compliance with regulations such as the NIS2 Directive, DORA and PCI DSS, which require verifiable controls over who can access sensitive systems and data. And it also demonstrates to customers, partners and auditors that the organization takes identity protection seriously.
MFA and Zero Trust: Protecting Every Access Point
In a zero trust model, no user is trusted by default. It doesn’t matter whether they are inside the corporate network or connected via VPN—every access request is evaluated based on who is making it and under what conditions.
MFA is one of the cornerstones of this approach because it shifts verification from the network to the identity. This is where many organizations fall short: they enforce strict controls on critical systems but overlook everyday tools. Collaboration platforms, code repositories, project management tools—services that handle sensitive information and that, in many cases, are still protected by only a username and password.
The incidents involving Snowflake and the campaign documented by Dark Reading illustrate this clearly: a single service without MFA is enough to weaken the entire security strategy. An attacker won’t target the most heavily protected access point; they’ll look for what has been left exposed.
How AuthPoint Helps Close This Gap
Implementing MFA shouldn’t be a complex project or limited to only the most critical systems. For it to be truly effective, it needs to be widely deployed, easy to manage, and adaptable to the risk level of each access attempt.
WatchGuard AuthPoint delivers cloud-based multi-factor authentication with centralized management through WatchGuard Cloud. Its mobile device DNA ties authentication to the user’s phone, adding an extra layer of protection against impersonation attempts—even if the second factor is intercepted. It also enables the enforcement of policies based on access location and context, aligning with Zero Trust principles.
To dive deeper into protecting your organization’s identities, we recommend the following blog articles: