Gaps in Multi-Factor Authentication (MFA)

In this article, we will explore some of the drawbacks of MFA/2FA as a user security tool.

Multi-Factor Authentication (MFA), also known as 2-Factor Authentication (2FA), has become an essential tool for protecting user accounts. It has become so ubiquitous, Microsoft has recently started enforcing it on all tenants by default. MFA is helpful for safeguarding an account if one credential becomes compromised, however – MFA/2FA is not a foolproof security solution. Understanding its limitations and potential vulnerabilities is essential to equip your Exchange Server with well-rounded security. 

How Does MFA Work?

Multi-factor authentication works by requesting one or more additional forms of identification from the user after they have entered a valid username and password. This may be a code from a mobile app, a text or email, or a hardware token.

Why do AD Lockouts occur with MFA?

MFA security is often deployed to safeguard login forms, such as Outlook Web App (OWA) and Exchange Control Panel (ECP). A significant limitation arises when incorrect credentials are repeatedly entered, triggering Active Directory (AD) account lockout policies. When multiple accounts surpass their failed login attempt threshold, widespread AD lockouts occur. This wreaks havoc on system administrators.

While MFA does provide an extra layer of security, it does not prevent the issue of AD lockouts. Prompts to provide a second factor also may serve as a warning that an unauthorized user is attempting to access the account.

How are Username and Passwords Leaked by MFA?

Another noteworthy limitation of MFA is the potential for username and passwords to be stolen. MFA security only launches after valid login credentials have been entered. Therefore, even if an attacker is not able to finish logging into the account, they can confirm a valid username and password combination by receiving a prompt for an authentication code.

With a correct username and password combination, an attacker can probe other services which do not employ MFA, such as wifi or computer workstation logons. Users often keep the same passwords across applications and devices, leaving them vulnerable.

Why Can’t MFA Prevent Programmatic Attacks?

MFA security offers limited protection against programmatic attacks on server APIs. Exchange Servers depends heavily on services like Exchange Web Services (EWS) and Offline Address Book (OAB) for various business processes.

The challenge arises when attackers set their sights on these server APIs directly. MFA, primarily designed for user authentication, does not effectively block programmatic attacks. Attackers can abuse legitimate credentials or bypass MFA entirely by targeting the server-side infrastructure rather than individual user accounts.

What Other Security Measures Should You Take?

In addition to Multi-Factor Authentication (MFA), it is imperative to consider a broader spectrum of security measures to fortify your digital defenses comprehensively.

Robust Access Controls

Implementing stringent access controls is fundamental in preventing unauthorized access to sensitive information. Fine-tune permissions based on roles and responsibilities, ensuring that individuals only have access to the resources necessary for their tasks. Regularly review and update access privileges to align with organizational changes.

Third Party Software Solutions

By combining MFA with a third-party solution, you can easily add protection to all Exchange Servers. Messageware Exchange Protocol Guard (EPG) provides advanced logon intelligence and control for Microsoft Exchange Servers by monitoring potential risks from attacks against Exchange Server Services (which can not be protected by MFA ). Hackers probe for exploitable Exchange Services leading to attacks like brute force password guessing, password spraying, and Denial of Service (DoS). These cause Active Directory (AD) lockouts, create havoc in your support center, and lead to stolen credentials that are used to compromise corporate networks.

Comprehensive User Education

Invest in comprehensive user education programs to heighten awareness among employees about potential security risks. Educate them on phishing scams, social engineering tactics, and the importance of safeguarding login credentials. Informed users are a crucial line of defense against various cyber threats.


While Multi-Factor Authentication (MFA) undeniably enhances cybersecurity by introducing an additional layer of protection, acknowledging its limitations is paramount. Concerns such as Active Directory (AD) lockouts, the risk of username and password leakage, and susceptibility to programmatic attacks on server APIs emphasize the need for a multifaceted security approach. To build a well-rounded shield against the evolving threats in the digital landscape, organizations should seamlessly integrate MFA with other security best practices. This includes enforcing robust access controls, implementing vigilant monitoring protocols, and fostering comprehensive user education. By adopting a holistic cybersecurity strategy, organizations can create a resilient defense posture against the diverse challenges posed by cyber threats.