Originally published on LinkedIn. Lightly edited for clarity.
Multi-factor authentication reduces account takeover risk, but only when it is designed for the real world.
A fragile MFA rollout will be bypassed, ignored, or blamed when an incident hits. A durable rollout feels boring and predictable.
Pick the right factors
Not all MFA methods are equal:
- Phishing-resistant factors (hardware keys, passkeys) are the strongest.
- App-based OTP is common and reasonable when deployed well.
- SMS is better than nothing but should be a stepping stone, not the end state.
The best choice is the one your users will actually complete.
Make enrollment frictionless
If enrollment is painful, adoption will stall.
Provide clear setup guidance, short instructions, and a simple self-service flow. For high-risk roles, mandate stronger factors from day one.
Plan for recovery
Account recovery is where MFA often falls apart. Define a recovery path that is secure but usable:
- Backup codes stored safely.
- Secondary factors with clear verification steps.
- Break-glass procedures for critical teams.
If recovery is too hard, people will share credentials or avoid MFA entirely.
Log and enforce
MFA should be visible in your logs and policies:
- Track enrollment and enforcement coverage.
- Alert on repeated MFA failures.
- Require MFA for privileged or high-risk actions.
Visibility turns MFA into a measurable control rather than a checkbox.
2026 Perspective
Passkeys and hardware-backed factors are more common now, which raises the baseline.
The operational issues remain the same: enrollment and recovery make or break adoption. MFA is only as strong as the user experience around it.