MFA on VPN: The Most Critical Control Against Ransomware
Direct answer
55% of Akira attacks documented by CISA (advisory AA24-109A) originated from Cisco VPN without MFA. The control is cheap (a few dollars per user/month), fast to implement (hours to days) and blocks the #1 corporate ransomware vector in 2026.
Why VPN without MFA is the preferred target
Modern attackers do not break in via zero-day exploits in most cases: they buy leaked credentials on the darknet (Initial Access Broker, ~US$ 1,000-10,000) and use them to log into VPN without MFA. From there, they propagate laterally until compromising Active Directory. With MFA active, even leaked credentials do not grant access: the attacker would also need to steal the second factor (TOTP token, push notification, hardware key). In 99% of cases, this makes them look for another target. MFA does not prevent 100% of attacks but takes the company out of the easy-target list.
Common implementation mistakes
- 1.Optional MFA for some users. Attackers find exactly that user without MFA. Apply to 100% with no exception.
- 2.SMS as the only factor. SIM swap is a growing practice. Use TOTP (Google Auth, Authy) or push (Duo, Microsoft Authenticator) as default.
- 3.Allow permanent 'remember device'. Limit to 7-30 days max. Compromised device authenticates forever without limit.
- 4.Not blocking logins without MFA via policy. If config allows fallback to no MFA, the attacker forces that path. Technical policy must deny.
FAQ
Which MFA provider to recommend?
For Microsoft-ecosystem companies: Microsoft Authenticator + Conditional Access (included in Microsoft 365 Business Premium). For multi-vendor: Cisco Duo (leader in VPN integration). For SMBs without Microsoft: Authy or Google Workspace MFA.
Does MFA hurt productivity?
Push notification takes 2-3 seconds. Compare with US$ 50,000-500,000 average ransom. ROI is overwhelming.
How to apply on Cisco AnyConnect VPN?
Cisco Duo integrates natively via RADIUS proxy. Implementation time: 4-8 hours to configure and test. Gradual rollout in 1-2 weeks.
Does FortiGate support MFA?
Yes natively via FortiToken or SAML integration with any IdP (Azure AD, Okta, Duo). FortiOS 7+ recommended.
What if the user loses their phone?
Standard procedure: user calls IT, validates identity by another means (video call, security question), IT revokes MFA and re-enrolls with new device. Average time: 15 minutes. Worth the inconvenience.
Need help implementing MFA on your VPN?
VPN + AD + EDR hardening consulting.