Why is SMS MFA less secure than authenticator apps?

SMS MFA is vulnerable to SIM swapping (attackers transfer your phone number to their SIM), SS7 telecom protocol attacks, and real-time phishing that captures SMS codes simultaneously with passwords. Authenticator apps are significantly more secure; FIDO2 hardware keys are the strongest option.

Is MFA required for cyber insurance in Canada?

Yes. Canadian cyber insurers require MFA on all email accounts, remote access (VPN, RDP), and admin accounts as a standard underwriting condition. Organizations without MFA on email and remote access are typically denied coverage or charged significantly higher premiums.

What is MFA fatigue and how do you prevent it?

MFA fatigue (prompt bombing) is when attackers send repeated MFA push notifications until the user approves one. Prevention: enable number matching and additional context in Microsoft Authenticator, use FIDO2 hardware keys for high-value accounts, and set MFA rate limiting after 5 failed attempts.

What Is MFA (Multi-Factor Authentication)?

MFA — Multi-Factor Authentication — requires users to verify their identity with two or more independent factors before gaining access: something you know (password), something you have (phone with authenticator app or hardware key), or something you are (fingerprint, Face ID). Microsoft reports that MFA prevents 99.9% of automated account compromise attacks — making it the single highest-impact security control available to Canadian businesses.

MFA factors explained

Something you know — password, PIN, security question (weakest factor alone; can be phished or stolen)
Something you have — authenticator app (Microsoft Authenticator, Google Authenticator), SMS code, hardware key (YubiKey, Feitian)
Something you are — biometrics: fingerprint, Face ID, retinal scan (strongest factor; used in Windows Hello for Business)

Why SMS MFA is the weakest option

SMS one-time passcodes (OTPs) are better than no MFA but have significant weaknesses:

SIM swapping — attackers convince mobile carriers to transfer your phone number to an attacker-controlled SIM, intercepting all SMS codes
SS7 protocol vulnerabilities — telecom infrastructure vulnerabilities allow sophisticated attackers to intercept SMS messages in transit
Phishing in real-time — adversary-in-the-middle phishing kits (Evilginx, Modlishka) intercept both password and SMS code simultaneously

For accounts protecting sensitive data (banking, Microsoft 365 admin, email), use authenticator apps or hardware keys rather than SMS.

MFA options for Microsoft 365 (most common in Canadian businesses)

Microsoft Authenticator app — free; number matching and additional context features prevent MFA fatigue attacks; push notification + one-time code
FIDO2 hardware keys (YubiKey) — phishing-resistant; strongest protection; recommended for admin accounts and high-value targets
Windows Hello for Business — biometric authentication tied to device; phishing-resistant; built into Windows 11; requires proper Azure AD configuration
Passkeys — emerging standard; replaces password + MFA with device-bound credential; Microsoft 365 passkey support available in 2024+

MFA fatigue attacks and how to prevent them

MFA fatigue (prompt bombing) is an attack where criminals repeatedly send MFA push notifications to a target until they approve one to make the notifications stop. Prevention:

Enable "number matching" in Microsoft Authenticator — user must type a number shown on screen to approve, preventing blind approval
Enable "additional context" — shows app, location, and device in the MFA prompt so users can spot suspicious requests
Use FIDO2 keys or passkeys — phishing-resistant MFA that cannot be fatigue-attacked
Set MFA rate limiting — alert and block after 5 failed MFA attempts

MFA requirements for Canadian cyber insurance

Canadian cyber insurers universally require MFA as of 2026:

MFA on all email accounts (Microsoft 365, Google Workspace)
MFA on all remote access (VPN, RDP, Azure Virtual Desktop)
MFA on all admin accounts with no exceptions
Privileged accounts should use phishing-resistant MFA (FIDO2 or Windows Hello)

Organizations that cannot demonstrate MFA on email and remote access are either denied cyber insurance or charged substantially higher premiums in the Canadian market.

Related glossary terms

How Outsource IT Canada can help

Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
PIPEDA Compliance — privacy impact assessments and breach notification procedures
Get a free assessment — call (416) 623-9677

Ready to transform your IT? Call (416) 623-9677 for a free assessment.