The MFA is accessible and its effectiveness is proven. It reduces the risk of account compromise by 99.2%. Why, then, has it not been widely adopted?
Passwords remain necessary protections, but they are no longer sufficient. Using long, unique, and hard-to-guess passphrases is still a good practice when no other means of identity protection exist. The problem arises when one of these passwords falls into the wrong hands: the system doesn’t detect an intrusion, it just sees a legitimate connection. From this point on, the attacker moves through the environment like any other user.
This is not a theoretical scenario.
The campaign targeting Snowflake customers in 2024 clearly demonstrated this: attackers used stolen credentials via infostealer malware to gain access to accounts without MFA. Without taking advantage of the slightest flaw. Without any sophisticated technique. Just a username, a password, and an open door. The result: more than 165 organizations compromised, including companies like Ticketmaster, Santander and AT&T, according to research published by Mandiant.
Closer to us in France, the massive data leaks suffered by France Travail (one of the most massive cyberattacks in French history with no less than 43 million people affected!) in 2024 then in 2025, and more recently the FICOBA bank file, to name only a few major cases, could have been avoided with MFA.
For the case of France Travail, the method was based on the exploitation of compromised partner accounts and infostealers installed on personal computers, in a context of generalized absence of MFA and this despite alerts since 2023.
At the end of 2025, the President of the CNIL, Marie-Laure Denis estimated that 80% of data leaks in 2024 could have been avoided with the implementation of multi-factor authentication. Marie-Laure Denis also specifying that MFA is not compulsory in France for bases of more than 2 million people, even if the CNIL wanted to impose it.
An adoption problem, not technology
Multi-factor authentication is not new. The technology exists, it is accessible, and its effectiveness is proven. According to Microsoft figures, using MFA reduces the risk of account compromise by 99.2%. Why, then, has it not been widely adopted?
The Cyber Readiness Institute’s Global MFA Survey (2024), of nearly 2,300 SMEs, reveals that almost two-thirds are not using MFA. The global adoption rate stands at just 35%. The obstacles most often cited are cost, lack of resources and above all, a lack of perception of the real risk.
This is not a problem specific to SMEs. The large organizations compromised in the Snowflake incidents were not companies lacking security resources. These were organizations with mature cybersecurity teams, budgets, and programs that simply hadn’t enabled MFA across their entire departments.
What the MFA actually brings
MFA adds other verification factors that prevent a stolen password from being sufficient to access an account. This is the central benefit. In practice, however, the impact goes further.
When applied consistently, MFA limits an attacker’s ability to move laterally within the network. Each attempt to access a new service or resource requires additional verification, significantly reducing the impact of a security breach.
Today’s MFA solutions go beyond asking for a code. Many evaluate the context of the access request — such as the device used, the user’s location and the network they are connecting to — to adjust the level of verification based on the actual risk. This helps secure remote access without relying exclusively on VPNs or the network perimeter.
From a business perspective, MFA also contributes to compliance with regulations such as the NIS2 directive (soon to be implemented in France…), DORA or PCI DSS, which require verifiable controls over who can access sensitive systems and data. It also demonstrates to customers, partners and auditors that the organization takes identity protection seriously.
MFA and Zero Trust: Protecting Every Access Point
In a zero trust model, no user is considered trusted by default. Whether it’s inside the company network or connected via VPN doesn’t matter — each access request is evaluated based on who made it and under what conditions.
MFA is one of the cornerstones of this approach, as it moves verification from the network to identity. This is where many organizations fail: they impose strict controls on critical systems but neglect everyday tools. Collaboration platforms, code repositories, project management tools — services that handle sensitive information and, in many cases, are only protected by a username and password.
The incidents involving Snowflake, or more recently State databases, clearly illustrate this: a single service without MFA is enough to weaken the entire security strategy. An attacker will not target the most protected access point; he will search for what has been left exposed.
Even if cyber experts call for the systematic implementation of an MFA, these calls do not resonate widely enough. For VSEs and SMEs, which generally remain the organizations most vulnerable to cyberattacks, good MFA practice can really save money. So when will the real awakening take place?
