MFA (Multi-Factor Authentication)
Mandatory Protection for All Privileged Access
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
MFA is authentication using at least 2 of 3 factors (knowledge, possession, inherence). Section 30(2) No. 8 BSIG requires MFA for privileged access - and realistically for all access.
What is MFA (Multi-Factor Authentication)?
MFA methods 2026:
- Phishing-resistant: FIDO2/WebAuthn (hardware keys, passkeys) - the gold standard
- Strong: authenticator app (TOTP, push)
- Weak (avoid): SMS-OTP - susceptible to phishing
NIST SP 800-63B requires ONLY FIDO2 for high assurance levels.
Practical example
SME with 80 employees: 100% MFA via Microsoft Authenticator. Privileged accounts additionally use YubiKey FIDO2. Sessions outside MFA are blocked via Conditional Access.
Frequently asked questions
Is SMS MFA OK?
Weak. NIST + BSI advise against it - susceptible to phishing + SIM swap. Use an authenticator app or FIDO2.
What does it cost?
Authenticator app: free. FIDO2 keys: EUR 25-60 each. Conditional Access: included in Microsoft 365 E5.