How to MFA Everywhere
What makes you, you? Is it your physical representation, your memories, your choices, your relationships? In the physical world, identity is deep and layered. But online, all of that is stripped away. To a computer, you are not your story. You are a login. You are a password, a cookie, or a session. You are a code sent to your phone. That is the entire test of your existence in the digital realm. Which means if someone else holds those same fragments, the system will treat them as you. Identity online is not who you are; it is what the system accepts as proof of you, and that gap is exactly where attackers move in.
Once they can pretend to be you, they gain a foothold that can allow them movement inside protected digital spaces and ultimately the access to data that they monetize to build an entire economy around organized crime.
Most people think of identity as just a username and password. That is like locking your front door with a simple latch. It might keep the wind out, but it will not stop a burglar. This is where multi-factor authentication (MFA) comes in. By forcing you to prove you are you in more than one way, MFA makes it far harder for an attacker to get inside.
The Basics: What Are Factors
It may seem obvious when we throw out the term multi-factor authentication to imagine what we’re talking about, but factors get misinterpreted by people all the time. They think they are layering additional security to their login, but that may not be the case. Imagine unlocking your phone. You type a PIN, which is something you know. You scan your fingerprint, which is something you are. Sometimes you approve a push notification on your phone, which is something you have. These are factors of authentication.
Each factor has a best and worst version. A strong PIN that changes regularly is better than reusing the same four digits you use on your luggage. A fingerprint scan backed by the secure hardware on modern iPhones is better than the old swipe pattern on an Android screen that anyone could smudge-trace. A FIDO hardware key is stronger than a text message code that can be stolen if your number is hijacked.
Where MFA Works and Where It Does Not
On mobile devices, you are limited to the basics: PIN, passcode, or biometric. Apple and Google do not allow you to stack additional MFA challenges before the phone unlocks. So, the best you can do is enforce strong passcodes and biometric hardware. The worst case is relying on a four-digit PIN that anyone can guess. If the device is stolen, the only real safety net is the ability to remotely lock or wipe it.
On computers, you start with what the operating system offers, like Windows Hello, Touch ID, or passwords. From there, you can add a second factor, such as a push notification or hardware key. The best scenario is a password plus a hardware key or authenticator app. The worst scenario is just a weak password with no second check at all. Resetting credentials is simple for passwords but messy for hardware tokens, which need to be revoked and re-issued carefully.
On Wi-Fi and office networks, authentication is often certificate-based or password-based. Certificates are stronger because they tie access to a specific device, but they are also harder to reset if something goes wrong. Passwords are easier to change, but they are also easy for attackers to phish. The best case is a certificate, plus username and password. The worst case is just a shared Wi-Fi password written on a sticky note.
On VPNs, companies have the most flexibility. A VPN client can enforce multiple checks, such as password, phone push, and device posture, before connecting. The best setup is a combination of identity and device health verification. The worst is a VPN that accepts only a password, which an attacker can easily guess or steal.
On SaaS apps, there is the greatest opportunity to be flexible. Using an identity provider like AuthPoint or Okta, you can stack several factors together, like password, plus push notification, plus FIDO key. The best example is a cloud app that requires strong passwords, app-based MFA, and device compliance checks before granting access. The worst is a SaaS app with no MFA at all, leaving the door wide open for credential stuffing or phishing.
Why MFA Everywhere Is Harder Than It Sounds
It is tempting to think MFA is just a feature you turn on. But every platform has limits. Phones allow only one factor at the lock screen. Computers let you add more, but only after using one of the built-in choices. Certificates are powerful but difficult to revoke. SaaS apps offer flexibility, but only if you use the right identity provider.
This means IT has to think carefully about each login context, what factors are available, and how to reset or revoke them when something is compromised.
Take a look (Something you Know and Something You Have) at the basic factors and login context
Table 1: Support for Basic Factors
| Context | Know | Have |
| Mobile Lock Screen (iOS/Android) | PIN / Passcode ✅ | ❌ |
| Local / RDP Login (Win/Mac/Linux) | Directory Password ✅ | HW/SW Token ✅ |
| Wi-Fi / Network (802.1X) | PSK / Directory Password ⚠️ | Certificate (EAP-TTLS) ✅ |
| SSL VPN (RADIUS) | Directory Password ✅ | HW/SW Token ✅ |
| SaaS Apps (SAML, OATH, WebAuthn) | Password / PIN ✅ | HW/SW Token ✅ |
In this case, even the basics don’t seem to be easy to implement across the standard ways we log in to our apps and networks.
Next, a look at a second table that shows how more advanced factors like something you are, location, or activity are supported across the same contexts.
Table 2: More Advanced Support for Factors
| Context | Are | Where | Do |
| Mobile Lock Screen (iOS/Android) | Fingerprint / Face ⚠️ | ❌ | Idle Timeout ⚠️ |
| Local / RDP Login (Win/Mac/Linux) | Fingerprint / Face ⚠️ | GeoIP ⚠️ | Typing / Usage Patterns ⚠️ |
| Wi-Fi / Network (802.1X) | ❌ | Network IP ⚠️ | Traffic Patterns ⚠️ |
| SSL VPN (RADIUS) | ❌ | Network IP ⚠️ | Traffic Patterns ⚠️ |
| SaaS Apps (SAML, OATH, WebAuthn) | ❌ | Network IP ⚠️ | Typing / Usage Patterns ⚠️ |
Here, there is a bit more of a drop-off in terms of support on the network, and things like where we are don’t always have support for the identity source, we can integrate.
Finally, when we want to check the devices prior to access, even more software is required to do the job.
Table 3: Software Required to Check Devices before Accessing Networks
| Context | Device / Policy Enforcement |
| Mobile Lock Screen (iOS/Android) | MDM: complexity, expiry, OS/app updates. Lock or wipe if lost. ✅ |
| Local / RDP Login (Win/Mac/Linux) | Domain join, RMM, OS/app updates, app policies. Isolate device if needed. ✅ |
| Wi-Fi / Network (802.1X) | NAC traffic profiles, AAA parameters ⚠️ |
| SSL VPN (RADIUS) | Device/browser profile checks. Adjust or disable access. ✅ |
| SaaS Apps (SAML, OATH, WebAuthn) | Device/browser profile checks. Disable or disconnect sessions. ✅ |
Closing Thoughts
Attackers always look for the weakest link. If MFA is inconsistent, they will find the gap, maybe by stealing a cookie to bypass MFA in the cloud, or by hijacking a phone number to intercept text codes.
The goal is not perfection. The goal is coverage. Every login ‒ whether on a phone, a laptop, Wi-Fi, VPN, or SaaS app ‒ should have at least two strong checks. And IT should be ready to quickly revoke and reset those checks when necessary.
With platforms like WatchGuard AuthPoint, teams can unify this across devices and apps instead of managing each system separately.
The bottom line: MFA everywhere means understanding the best and worst versions of each factor, applying the strongest possible combination in every context, and closing off the easy routes attackers are waiting to exploit.
