Multi-Factor Authentication That’s Phishing-Resistant, Adaptive & Auditable
Multi-Factor Authentication (MFA) proves a user is who they say they are by requiring two or more factors—something you are (biometric), have (hardware key or device), or know (secret). SolveForce designs MFA to be phishing-resistant, adaptive to risk, and easy to use, with complete evidence for audits. It plugs into your identity fabric (SSO/IAM), device trust, and Zero-Trust access.
Identity fabric references:
🔑 IAM → IAM / SSO / MFA • 🔓 SSO → SSO • 🛡️ ZTNA/SASE → ZTNA • SASE
🖥️ Device trust → MDM / UEM • 🛡️ EDR/XDR → EDR / MDR / XDR
🔑 Key trust → PKI • Key Management / HSM • 🧪 Evidence → SIEM / SOAR
🎯 Outcomes (Why MFA, Done Right)
- Phishing-resistant authentication (WebAuthn/FIDO2, platform/hardware passkeys).
- Adaptive friction — strong when risk is high, nearly invisible when risk is low.
- Least-privilege enforcement — step-up MFA for sensitive actions and admin elevation.
- Audit-ready evidence — who/what/where/when/why (policy ID, risk, device).
- User acceptance — fast, consistent prompts; clear fallback with minimal lockouts.
🧱 MFA Building Blocks (Spelled Out)
- Factors (prefer in this order):
1) WebAuthn/FIDO2 (hardware key or device passkey; phishing-resistant)
2) Push with number-matching (anti-fatigue)
3) TOTP (authenticator app codes)
4) SMS/Voice fallback only (riskier; rate-limited, geo/ASN-aware) - Policy Engine (in your IdP/IAM): conditional access by user, role, device posture, location/ASN, app sensitivity, and session risk.
- Enrollment & Lifecycle: first-use verification, two registered factors minimum, recovery options, secure revocation on device loss.
- Logging & Analytics: full decision trail to SIEM/SOAR for correlation, anomaly detection, and audit packs.
See the broader program → IAM / SSO / MFA
🔒 Phishing-Resistant MFA (Your New Default)
- WebAuthn/FIDO2 (passkeys) — cryptographic challenge/response bound to the origin; blocks credential replay and MFA phishing kits.
- Device binding & attestation — tie keys to managed devices; validate attestation where supported.
- mTLS & token binding (advanced) — bind sessions to device keys for high-risk workflows.
→ Keys & certificates: PKI • Key Management / HSM
🧠 Adaptive MFA (Identity → Device → App → Data → Context)
MFA should trigger when risk warrants:
1) Identity — user, group/role, assurance level. → IAM / SSO / MFA
2) Device Posture — EDR/UEM health, OS version, disk encryption. → MDM / UEM • EDR / MDR / XDR
3) Application Sensitivity — finance/admin consoles vs. general SaaS.
4) Data Classification — PII/PHI/PAN actions require step-up; watermark read-only sessions. → DLP
5) Context — geo/ASN anomalies, impossible travel, TOR/VPN signals, session age.
Outcomes: allow → step-up (phish-resistant) → isolate (read-only/RBI) → deny.
Admin elevation routes through PAM with session recording. → PAM
🔁 Where MFA Prompts (and Where It Shouldn’t)
- Login — always enforce MFA for privileged roles and external/BYOD access.
- Step-up — on sensitive operations: wire transfers, key vault access, policy edits, break-glass.
- Session refresh — on risk spikes (new ASN/geo, posture drift), not arbitrarily every N minutes.
- Silent periods — low-risk SaaS with strong posture can avoid repeated prompts via signed device assertions.
🧯 Enrollment, Recovery & Break-Glass (No Lockouts)
- Enrollment — require two phish-resistant factors (e.g., hardware key + platform passkey).
- Recovery — recovery codes stored offline, help-desk verified recovery with identity proofing; immediate revocation of lost factors.
- Break-glass — time-boxed, hardware-token-only path for critical roles; all actions logged and reviewed.
- De-provision — revoke tokens/sessions within <60 s when users leave. (Track in IAM JML.) → IAM / SSO / MFA
🛡️ Security Hardening (Practical Controls)
- Push fatigue defenses — number-matching, rate limits, lockout after repeats.
- SIM-swap resistance — avoid SMS where possible; geo/ASN checks; velocity detection.
- Code integrity — 6–8 digit TOTP, 30-second windows, limited drift; no email codes.
- Device attestation — prefer hardware-backed keys; block rooted/jailbroken devices.
- Session hygiene — short token TTLs for high-risk apps; re-auth on privilege change.
- Evidence streaming — all MFA events to SIEM/SOAR with dashboards and alerts. → SIEM / SOAR
📐 SLO Guardrails (Experience You Can Measure)
| Metric | Target (Regional) | Notes |
|---|---|---|
| Login → token (SSO) | ≤ 1–2 s typical | With cached metadata; local IdP PoP |
| MFA step-up (WebAuthn/push) | ≤ 3–5 s | Prefer WebAuthn; number-match on push |
| Provisioning propagation (SCIM) | < 5 min | For adds/role changes |
| De-provision revoke | < 60 s | Critical for terminations/compromises |
| MFA success rate | ≥ 98–99% | Track per factor, per region |
Test with IdP synthetics and real-user monitoring for top apps. → NOC Services
🧭 Migration Plan (From OTP-Only to Phish-Resistant MFA)
- Inventory users/apps; classify risk; identify admin/finance/PHI apps.
- Choose factors — FIDO2 as primary; push/TOTP as secondary; SMS only as fallback.
- Enroll in rings — IT/admins → finance/HR → all users; require two factors minimum.
- Step-up policies — add action-based prompts for sensitive operations.
- Device trust — enforce EDR/UEM posture checks for managed devices. → MDM / UEM • EDR / MDR / XDR
- Decommission legacy email codes/SMS-only; keep break-glass tokens.
- Evidence — stream logs, build SLO dashboards, publish weekly adoption metrics. → SIEM / SOAR
📊 Metrics That Matter
- MFA adoption by factor (FIDO2, push, TOTP, SMS).
- Prompt rate per user per week (keep low in low-risk contexts).
- Failure & fallback rates (watch SMS spikes).
- Fraud blocks — push fatigue rejections, impossible travel stops.
- De-provision lag — time from HR event to session kill.
Report to security and compliance leadership monthly; tie to risk register.
🧾 Compliance Mapping (Examples)
- PCI DSS 8 — MFA for admin and remote access to CDE.
- ISO 27001 / SOC 2 — logical access control with MFA + audit trails.
- HIPAA — unique user identification, emergency access, audit controls; MFA strengthens authentication.
- NIST SP 800-63-3 — AAL2/AAL3 guidance (FIDO2 keys meet higher assurance when deployed correctly).
- CMMC — IA/AC domains (MFA for privileged and remote access).
All evidence streams to SIEM/SOAR, linked to incidents and audits. → SIEM / SOAR
🧰 Integrations & Runbooks
- IdP/SSO — SAML/OIDC federation; adaptive policies; SCIM provisioning. → SSO • IAM / SSO / MFA
- ZTNA/SASE — per-app access with posture + MFA; unify logs. → ZTNA • SASE
- Helpdesk — secure recovery playbooks; identity proofing steps; approvals logged. → Helpdesk Support
- PAM — step-up for admin elevation; record sessions. → PAM
✅ Pre-Engagement Checklist
- 👥 Users/roles; contractors/partners; BYOD posture.
- 🔐 Factor policy: primary (FIDO2), secondary (push/TOTP), fallback (SMS minimal).
- 🖥️ Device requirements: EDR/UEM, OS versions, disk encryption.
- 🧭 App risk tiers; step-up actions (finance, key vaults, policy edits).
- 🧾 Evidence: SIEM dashboards, audit cadence, weekly adoption reports.
- 🔄 Break-glass tokens & recovery procedures; time-boxed; review after use.
🔄 Where MFA Fits (Recursive View)
1) Grammar — identity traffic rides Connectivity
2) Syntax — login flows & app delivery in Cloud
3) Semantics — truth of identity & device via Cybersecurity
4) Pragmatics — SolveForce AI predicts risk and reduces prompts
5) Foundation — consistent terms enforced by Primacy of Language
6) Map — indexed in SolveForce Codex & Knowledge Hub
📞 Design MFA Users (and Auditors) Will Love
Related pages:
IAM / SSO / MFA • SSO • ZTNA • SASE • MDM / UEM • EDR / MDR / XDR • PAM • DLP • PKI • Key Management / HSM • SIEM / SOAR • Cybersecurity • Knowledge Hub