Your firm enabled multi-factor authentication (MFA) on email last year. You checked the box, told your team, and moved on. Then a partner’s Microsoft 365 account got compromised anyway. Sound familiar?

MFA is one of the most consistently recommended security controls in IT. It is also one of the most misunderstood. Deploying it is genuinely important. Treating it as a complete solution is a mistake that attackers are actively counting on.

The Problem: MFA Is Marketed as a Silver Bullet

When IT providers, insurance carriers, and security frameworks like the NIST Cybersecurity Framework or the CIS Controls all tell you to enable MFA, it is easy to assume that enabling it means you are protected. That assumption has a cost.

MFA works by requiring a second proof of identity beyond a password: a code from an app, a text message, a hardware key, or a biometric. The core promise is that a stolen password alone cannot open your systems. For a specific category of attack, that promise holds up extremely well.

But “protected from some attacks” is not the same as “protected.” And the attacks that MFA does not stop are not obscure theoretical exploits. They are the techniques behind many of the real breaches hitting professional services firms right now.

Accounting firms hold years of client tax returns. Law firms hold privileged communications and deal documents. Boutique financial advisories hold account credentials and wire instructions. All of that is valuable enough that attackers will take whatever path gets them in, even if MFA is sitting in the way.

The problem is not that MFA fails. The problem is that firms stop asking questions once they have it turned on.

Why This Matters for Professional Services Firms

Professional services firms operate under regulatory frameworks that take data security seriously. CPAs and accounting firms handle data covered by IRS Publication 4557 and the FTC Safeguards Rule, which was updated in 2023 to require specific administrative, technical, and physical safeguards for client financial information. Law firms face state bar ethics rules requiring reasonable measures to protect confidential client data. Registered investment advisers fall under SEC Regulation S-P, which has its own amended breach notification and safeguard requirements taking effect in 2024 and 2025.

None of these frameworks say “turn on MFA and you are done.” They require a reasonably comprehensive security program. A regulator or a plaintiff’s attorney reviewing a breach incident will ask what controls were in place, whether they were appropriate for the threat landscape, and whether the firm understood their limitations.

If your answer is “we had MFA,” and the breach came through a technique MFA does not stop, that answer will not protect you. Your security insurance carrier will likely ask similar questions. Many security insurance policies now require MFA as a baseline condition, but claims examiners also look at whether your overall program was adequate, not just whether one control was enabled.

Understanding what MFA actually does and does not do is not a technical exercise. It is a professional responsibility.

How to Think About MFA’s Real Scope

What MFA reliably stops

MFA is highly effective against credential-stuffing attacks, which occur when attackers use large databases of leaked username and password combinations to try logging into your systems. If a password from a breach at another service matches one your team member uses for their work email, MFA stops that attack cold. This alone justifies deploying MFA everywhere, immediately. Password reuse is endemic, and credential databases are cheap to buy on criminal forums.

MFA also stops most brute-force password guessing and protects against scenarios where a device is lost or stolen and someone attempts to log in with a recovered password.

What MFA does not stop

Real-time phishing (adversary-in-the-middle attacks): A firm employee receives a convincing phishing email and clicks a link to a fake Microsoft or DocuSign login page. That page is actually a proxy that relays their credentials and MFA code to the real site in real time. The attacker gets a valid, authenticated session before the MFA code expires. Tools to run this kind of attack are freely available and widely used.

SIM swapping: An attacker calls your team member’s mobile carrier, impersonates them, and transfers the phone number to a new SIM card. Now the attacker receives every SMS-based MFA code. This attack targets SMS-based MFA specifically, which is the most common type in use.

MFA fatigue (push bombing): If your firm uses an authenticator app that sends push notifications for approval, attackers who already have a password can send dozens of approval requests in rapid succession until a tired or confused user taps “Approve” just to make it stop. This technique was used in several high-profile breaches in recent years.

Help desk social engineering: An attacker calls your IT support line or vendor’s support team, claims to be a locked-out employee, and convinces the help desk to bypass or reset MFA. This is an identity verification problem, not a technology problem.

What needs to sit alongside MFA

Phishing-resistant MFA options, specifically hardware security keys (like YubiKeys) or passkeys, address the real-time phishing problem because they are cryptographically bound to the legitimate site. You cannot relay them to a fake page. For email and financial systems especially, these are the stronger standard.

MFA should also be paired with:

  • Conditional access policies that block logins from unexpected locations or devices
  • Endpoint detection and response (EDR) protection on every device accessing firm systems
  • Security awareness training that specifically covers MFA fatigue and phishing techniques
  • Identity verification procedures for help desk and IT support interactions

What to Look for in an IT Partner

When evaluating a managed IT or security provider, ask direct questions about how they handle MFA beyond simply enabling it.

Ask whether they configure conditional access policies alongside MFA deployment, or whether they just flip the switch. Ask what their recommendation is for email and financial system authentication. A provider current on the threat landscape should be able to explain phishing-resistant options without you prompting them.

Ask how they handle help desk identity verification when an employee claims to be locked out. This is an underappreciated gap that sophisticated attackers exploit regularly.

Ask whether their security awareness training program includes scenarios specific to MFA attacks, not just generic phishing examples. And ask how they stay current as attack techniques evolve, since the threat landscape changes faster than annual training cycles.

A good IT partner treats MFA as one component of a layered security program, not as the destination.

The Bottom Line

MFA is not optional. Deploy it everywhere, today. It stops a large and important category of attacks, and skipping it is indefensible. But MFA has documented gaps that attackers actively exploit. Knowing what those gaps are, and closing them with the right complementary controls, is what separates a firm that had MFA from a firm that stayed protected.

Frequently Asked Questions

Does MFA actually prevent most hacking attacks?

MFA prevents a large share of attacks that rely on stolen or guessed passwords, including credential stuffing, which is behind a significant percentage of account takeovers. However, it does not prevent real-time phishing, SIM swapping, or social engineering, which are increasingly common against professional services firms. MFA is a critical control, but not a complete one.

What is MFA fatigue and how do attackers use it?

MFA fatigue, sometimes called push bombing, happens when an attacker who already knows a user’s password sends repeated MFA push approval notifications to their phone. The goal is to get the user to approve one of the requests out of frustration or confusion. Microsoft, Uber, and Cisco have all experienced incidents involving this technique. Switching to number-matching push notifications or phishing-resistant MFA methods reduces this risk significantly.

Is SMS text message MFA good enough for a professional services firm?

SMS-based MFA is better than no MFA. However, it is the weakest form because it is vulnerable to SIM swapping, where an attacker convinces a mobile carrier to transfer your phone number to their device. For systems that hold client financial data, privileged communications, or wire transfer access, an authenticator app or hardware security key is a meaningfully stronger choice.

What is phishing-resistant MFA and do small firms really need it?

Phishing-resistant MFA uses cryptographic methods tied to the specific website being accessed, so a fake login page cannot capture and replay the credential in real time. Hardware security keys and passkeys are the two main options. Small professional services firms are targeted specifically because attackers assume they have weaker controls than large enterprises. For email, financial portals, and remote access systems, phishing-resistant MFA is worth the modest additional investment.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s multi-factor authentication posture.