Multi factor authentication for the frontline: why identity is the strongest defence your company has left

A vivid moment: how a single phone call cost MGM Resorts roughly USD 100 million

On 8 September 2023, an attacker rang the MGM Resorts IT help desk and pretended to be an employee whose details had been scraped from LinkedIn. The phone call lasted about ten minutes. By the end of it, the help desk had reset the employee's multi factor authentication credentials, the attackers had walked into Okta and from there into the Azure Active Directory domain controller, and the chain that culminated in a roughly USD 100 million loss had begun. Caesars Entertainment fell to the same group in the same window and reportedly paid a USD 15 million ransom.

Neither company was careless in any obvious sense. Both had MFA. Both had reputable identity providers. What they did not have was an authentication system designed to assume that a phone call could be the weakest link.

It is worth sitting with that for a moment. The breach did not happen because the attackers picked a lock. It happened because someone with operational authority believed a story. Every multi factor authentication strategy ever written is, in the end, a strategy for what to do when the story is convincing and the lock is already open.

The MGM case is now a teaching example in nearly every workforce identity programme, including those serving frontline industries where shared devices, high staff turnover and shift work multiply the points of failure. Hospitality, manufacturing, logistics and retail share a structural feature: thousands of user accounts, most of them belonging to people who do not own a corporate laptop and who change shifts every few hours. That is a hard environment to protect with old assumptions about how a legitimate user logs in.

What multi factor authentication actually is, in plain language

Multi factor authentication, often shortened to MFA or multifactor authentication, is a login process that asks a user to confirm their identity using more than one type of evidence before they gain access to a system. The same principle underpins two factor authentication, which uses only two factors and is simply MFA in its smallest configuration.

Both rely on the idea that combining multiple authentication factors, rather than relying solely on a single check, makes it harder for an attacker to impersonate the legitimate user, even if a stolen password is already in their hands. Only the user with all the required factors in their possession should gain secure access.

There are three classical categories of authentication factors:

• Knowledge factors are things the user knows, such as a password, a PIN or a security question.

• Possession factors are things the user has, such as a physical token, a security token, a mobile device, a hardware token or a software token on their phone.

• Inherence factors are things the user is, captured through biometric authentication such as a fingerprint scan, facial recognition or behavioural biometrics.

A well-designed authentication system combines multiple factors from at least two of these categories, which ithe structural definition of multi factor authentication.

For most office workers, multi factor authentication shows up as verification codes from Microsoft Authenticator or Google Authenticator, a push notification on a trusted device, or a passwordless authentication flow built on FIDO2 keys that exchange key material with the identity provider in the background. For frontline staff, the same principle has to hold, but the implementation has to look very different. A worker on a packing line cannot stop to type a one time password on their phone every fifteen minutes. The factors must be present, but the friction must vanish into the workflow.

How multi factor authentication work in 2026: the authentication methods and behavioural biometrics that matter

Multi factor authentication methods have shifted faster in three years than in the previous decade. Phishing attacks now bypass legacy verification methods such as SMS codes and prompt bombing. NIS2, DORA and updated NIST SP 800-63-4 guidelines all require phishing-resistant MFA for sensitive data access. And stolen credentials remain the leading attack vector for the second consecutive year in the Verizon DBIR, behind 88% of attacks against basic web applications and 22% of confirmed data breaches.

Five authentication methods matter most in 2026.

Biometric authentication is now baseline. A fingerprint scan or facial recognition check on a trusted device confirms the inherence factor in under a second. Behavioural biometrics, which model how a user types and swipes, add continuous verification long after the user accesses the system.

Passwordless authentication is replacing the user's password on a growing share of corporate logins. The FIDO Alliance reported five billion passkeys in use globally by May 2026, with 87% of enterprises deploying or piloting them. Passkeys are cryptographically bound to a specific application, so a credential created for a legitimate site cannot be replayed against a phishing copy.

Hardware tokens and software tokens remain the gold standard for high-privilege user accounts. A FIDO2 device offers a physical object the user must touch. Software tokens, including push notifications from Microsoft Authenticator, are convenient but vulnerable to MFA fatigue.

Adaptive multi factor authentication adjusts the verification factors in real time. Adaptive authentication, also called risk based authentication, uses device fingerprint, geolocation and past behaviour to decide how many factors each authentication request needs.

Security keys, NFC badges and short PINs are the workhorses of frontline environments. The mfa factor there is rarely a smartphone. It is a badge tap, a face scan, or a memorised code paired with a possession factor on the worker's lanyard.

Why authentication factors break down on the frontline

Most multi factor authentication products were built for office workers. The assumption is that the user has a corporate laptop and a personal mobile phone within reach. None of that holds for the deskless workforce.

Imagine Kareem, a shift supervisor at an automotive supplier in Manchester. He moves between three shared workstations across an eight-hour shift, wears gloves and safety glasses, and locks his personal phone in a locker because it is forbidden on the factory floor. Push notifications cannot reach him. SMS codes cannot reach him.

This is where adaptive multi factor authentication earns its name. With signals from a trusted device, a corporate network and a badge tap, the authentication process for routine workflows can shrink to a single PIN or fingerprint scan. Higher-risk actions, such as accessing personal data of colleagues, can require a second factor or manager confirmation.

The same principle holds in retail, logistics and hospitality. Implementing MFA in those environments is a question of fit. Get the fit wrong, and the result is either security theatre or operational paralysis.

Knowledge factors, mobile phones and the limits of the Microsoft Authenticator assumption

Knowledge factors remain the most common first factor in multi factor authentication mfa, but they are also the most fragile. The 2025 Verizon DBIR found that only 49% of a typical user's passwords across different services were distinct, and that only 3% of compromised passwords met basic complexity requirements. Twenty-five percent of all tested malware in the same study contained credentials lifted from password stores, including saved autofill information in browsers and corporate password managers.

In other words, knowledge factors are leaking faster than security teams can refresh them. Compromised credentials are not an edge case. They are the baseline assumption every authentication system should now make.

The smartphone-first assumption is similarly fragile. Mobile phones underpin push notifications, software tokens, SMS codes and biometric checks in office environments, but they are unreliable as a universal mfa factor for the frontline workforce. Some workers do not have a corporate phone. Some are not allowed to carry a personal one. Some work in environments where mobile signal is patchy or where battery life cannot be guaranteed across a shift. Designing the authentication system around the assumption that the user's phone is always with them, charged and connected, excludes a meaningful share of the workforce by default.

The answer lies in treating mobile phones as one option among several, while making sure the authentication system can accept different combinations of authentication factors depending on the persona. A back-office HR analyst might authenticate via Microsoft Authenticator on her personal device. A warehouse picker might authenticate via a badge tap and a facial recognition check on a shared kiosk. Both should land in the same identity, with the same governance, the same audit trail and the same access management posture.

Adaptive multi factor authentication: the adaptive authentication architecture that scales access management

Adaptive multi factor authentication, sometimes called risk based authentication, is the architecture that makes multi factor authentication tolerable at scale. The core idea is that not every authentication request carries the same risk, so not every authentication request should require the same number of factors.

A worker logging in from a trusted device, on a known corporate network, at the start of their normal shift, presents almost no risk. The system can verify them with a single factor and let them through. The same worker logging in from an unknown device, at an unusual time, requesting access to a sensitive payroll system, presents a very different risk profile. The system can step up to a second factor, a third factor or a manager approval before granting access.

The signals that feed adaptive authentication include device identity, geolocation, time of day, behavioural biometrics, the sensitivity of the requested resource, and the user's recent activity. Modern MFA systems also incorporate threat intelligence about active phishing attacks or credential dumps, automatically tightening verification factors for affected users.

Done well, adaptive multi factor authentication has the paradoxical effect of being both stricter and lighter. Stricter, because the authentication process now responds to real risk rather than applying the same crude check to everyone. Lighter, because most authentication events for most users involve fewer steps than a static MFA system would require. The user experiences a login that simply works. The security team gets a more defensible posture against unauthorised users.

Adaptive authentication is also what allows organisations to roll out passwordless authentication without leaving anyone behind. A user with a passkey on their trusted device passes the strongest possible check with a single gesture. A user without a passkey, perhaps because they share a device or have just joined, can still authenticate with a different combination of factors, and can be migrated to passkeys as soon as the operational setup allows.

The identity fabric that holds everything together

Multi factor authentication does not exist in isolation. It is one layer in a larger architecture that Gartner now calls the identity fabric. The identity fabric is the connected, risk-aware system that ties together authentication, authorisation and identity governance across every application, device and user in an organisation. It is the architecture that lets a single user's identity flow cleanly from the moment they badge into a building to the moment they request data access in a sensitive system.

Recent Gartner research highlights ten identity fabric principles that prepare access management for the future, including unified authentication, lifecycle automation tied to HR systems, continuous verification, and the treatment of identity as the foundation of a modern security strategy rather than a supporting control. The shift is structural. Identity is no longer a feature tucked inside an IT department. It is the operational backbone of everything else.

For frontline-heavy organisations, the identity fabric concept matters in a particular way. Such systems must accommodate three different kinds of users: office staff, deskless workers and increasingly AI agents. They must support multiple authentication factors and multiple verification methods. They must integrate with HR, payroll and operations systems so that joiners, movers and leavers are provisioned and deprovisioned without manual intervention. And they must do all of that without creating new friction for the legitimate user who simply wants to start their shift.

Most identity fabrics today are stitched together from several products. An identity provider handles authentication. A separate tool handles privileged access. A third manages mobile devices. The seams between them are where breaches like MGM, Caesars and the Snowflake credential stuffing wave found their footholds. Closing those seams is the central task of any access management roadmap for the next three years.

The credential that travels with the worker, not the desk

Flip Identity is Flip's answer to the part of the identity fabric that frontline workers actually touch. It gives each frontline worker a single, secure credential that opens every system they need from one app, including the mini apps that handle shift requests, payslips and absence reporting. By removing the need for third-party identity providers in the day-to-day login process and by supporting biometric authentication, badge taps and short PINs on shared devices, it makes multi factor authentication tolerable for the workers who have historically been hardest to protect.

Flip Identity is not a replacement for Microsoft Entra or Okta in enterprise environments. It is the layer that lets the frontline part of the workforce participate in the identity fabric without compromise. The result is that the legitimate user gets one touch instead of three, the IT team gets one place to enforce policy, and the security posture covers the entire workforce rather than only the half that sits behind a corporate laptop.

What good implementing mfa looks like in practice: how to enable mfa for the right mfa factor

The companies that get implementing MFA right share a small number of habits:

• They enable mfa for every user account, not only for administrators. The Verizon DBIR is unambiguous on this point: 88% of attacks against basic web applications involve stolen credentials, and the share of attacks targeting non-privileged accounts has been rising steadily as attackers chase the path of least resistance.

• They choose verification factors that fit the persona. Office workers get Microsoft Authenticator, Google Authenticator or FIDO2 security keys. Frontline workers get badge taps, fingerprint scans, facial recognition on shared kiosks and short PINs. The mfa factor for a forklift driver is not the same as the mfa factor for a finance director, and pretending otherwise is the surest way to push staff towards workarounds.

• They build adaptive authentication into the authentication system from the start. Risk based authentication belongs in the design principles from day one, so that the system stays usable as the workforce grows, the threat landscape shifts and the number of multiple accounts per user increases.

• They invest in user education. MFA fatigue and phishing attacks both rely on the assumption that the user will eventually click the wrong button. A clear, recurring conversation about what a legitimate authentication request looks like, and what to do if something feels off, is one of the cheapest and most effective security measures available.

• They measure what matters. The number of password reset tickets, the share of users on passwordless authentication, the rate of MFA enrolment across the deskless workforce, the time from joiner to first successful login. These metrics tell you whether your access management is doing what it should, or whether it is quietly excluding the people who keep the operation running.

The AI dimension: why identity protection matters more in 2026

As AI agents take on more work inside corporate networks, the question becomes: who is authenticating to what?

Agentic AI systems now act on behalf of users, calling APIs and accessing sensitive data with delegated permissions. Every action is an authentication event, and every event needs an identity. Without a strong identity fabric, the AI agent becomes the most over-privileged user in the company. With one, it is just another principal subject to the same risk based authentication and audit trail as a human.

This is why multi factor authentication matters more in an AI-heavy world. The number of identities is growing, the authentication factors per identity are growing, and the blast radius of compromised credentials is growing with them. The only sustainable response is to treat identity protection as foundational infrastructure, embed adaptive authentication everywhere, and make the experience good enough that humans actually use it.

Flip's roadmap is built on that assumption. Flip Comms, Flip Flows, Flip Identity and Flip Agents form one connected layer for communication, workflow execution, authentication and AI in a single mobile-first app. For the frontline worker, that means one touch instead of three. For the company, it means a workforce that is genuinely empowered and genuinely protected as AI gains more relevance in daily operations.

Conclusion: trust is the new infrastructure

The Mesopotamian merchant trusted his cylinder seal because it combined something he possessed, something he knew and something only he could produce. Four thousand years later, the only thing that has really changed is the cost of failure. A stolen password today can cost an enterprise USD 100 million in a single phone call, as MGM Resorts learned the hard way in 2023. A well-built authentication system, by contrast, costs almost nothing per login and quietly defends thousands of user accounts every day.

The companies that will thrive in the next decade are the ones that treat identity as infrastructure. They will enable mfa for every employee, including the ones who never sit at a desk. They will design adaptive multi factor authentication that respects the texture of a shift worker's day. They will close the seams between authentication, authorisation and governance until the identity fabric is genuinely whole. And they will do so because they understand that trust, in 2026, is the most valuable thing a company can produce.

The seal has changed. The principle has not.

Sources: Verizon Business, 2025 Data Breach Investigations Report; FIDO Alliance; FIDO Alliance Reports Accelerating Global Passkey Adoption on World Passkey Day 2026; Gartner (2026), The 10 Identity Fabric Principles That Prepare IAM for the Future.

FAQ - Multi factor authentication