Top 10+ Multi-Factor Authentication (MFA) Use Cases ['25]

Our research on multi-factor authentication (MFA) solutions shows how effective the leading software are in adaptive authentication, biometric authentication (Fingerprint/Face ID), and push notifications. To highlight how companies like Salesforce, Microsoft, and Mastercard use these methods, we provided 10+ real-life MFA use cases:

Read more: Multi-factor authentication (MFA) pricing and plans, and top 10 open source MFA tools.

How to implement multi-factor authentication (MFA)?

Based on our research on the MFA use cases here are the best practices for implementing a strong multi-factor authentication:

• Use stronger MFA methods: Combine low-level authentication factors like SMS-based authentication with more secure methods like authenticator apps (e.g., Google Authenticator), hardware tokens (e.g., YubiKey), or biometrics (fingerprint, facial recognition).
• Implement adaptive and risk-based MFA: Use adaptive measures to adjust security based on factors like user behavior, device trust, and location. For example, if a user logs in from a new location or device, the system can ask for additional verification.
• Integrate device health checks: Ensure devices meet security standards (e.g., updated OS, antivirus) before granting access. Use security tools to monitor device health and block risky devices.
• Strengthen user authentication policies: Use role-based access control (RBAC) to restrict sensitive data access to only authorized users.

1. Accessing corporate resources via VPN

Implementing multi-factor authentication (MFA) for VPN access enhances security for remote and hybrid work environments by preventing unauthorized access to corporate resources. Organizations commonly secure their VPNs with MFA factors such as one-time passwords and physical security tokens. 

Real-life example: BlueSnap enhances VPN security with MFA

BlueSnap, a global online payments company, deployed Silverfort’s MFA to extend secure authentication across its VPN and other sensitive systems.  The key aspects of the implementation included:

• Adaptive MFA policies to evaluate login context, such as device trust, geographic location, and risk level, before granting access.
• Multi-layered authentication for internal employees and external partners accessing payment processing systems.

2. Logging into the proprietary software

MFA prevents unauthorized users from logging in to software containing confidential information or allowing access to sensitive systems. To log into a proprietary software system, a user may be asked to input a password and a second form of authentication, such as a security token or biometric data.

Real-life example: Salesforce uses MFA for its customers who access sensitive CRM platforms

Salesforce requires MFA for all users logging into the system, especially those accessing confidential client information or engaging in high-risk activities like modifying settings or viewing financial data. Users needed to enter their password and verify their identity via a second factor, such as a one-time password (OTP) sent to their mobile device or via an authenticator app (e.g., Google Authenticator).²

3. Securing third-party vendor access

Over 80% of surveyed organizations give 3rd parties wide read access within their environment.³ When vendors or contractors need access to company systems or data, MFA ensures that only authorized third parties can access sensitive resources.

Real-life example: Cisco secures third-party vendor access

Cisco, a global technology company with over 100,000+ users and 170,000+ devices, implemented Duo Beyond to establish third-party vendor authentication before granting application access. 

How Cisco secured third-party vendor access:

• Multi-factor authentication (MFA): Vendors authenticated via mobile push, biometrics (Touch ID), or passcodes, reducing unauthorized access risks.
• Device health checks: Vendor devices had to meet security standards (e.g., updated OS, screen lock, antivirus) before accessing applications.
• Device health monitoring: Duo Beyond’s  “trust monitor” feature detected abnormal vendor login attempts and prompts.⁴

4. Securing remote desktop access (RDP)

Organizations with remote workforces use the remote desktop protocol (RDP). This protocol facilitates secure information exchange between remotely connected machines over an encrypted communication channel. However, cybercriminals frequently exploit weak or stolen RDP credentials to launch phishing attacks. 

MFA adds a critical security layer, ensuring only authorized users can log in—even if passwords are compromised. RDP access requires MFA verification via an authenticator app, SMS OTP, or security key, preventing credential stuffing and phishing attempts.

Real-life example: Microsoft enables MFA for remote desktop access (RDP)

Microsoft enables MFA for Azure and Windows RDP logins to prevent unauthorized access.⁵

5. Logging into a bank account

When logging into a bank account, MFA can verify that only the account owner has access. To log into a bank account, a user is asked to enter a password and provide a second verification, such as a one-time code delivered to their phone or a biometric scan. This prevents unauthorized access to critical financial information and protects against fraud.

Real-life example: Bank of America requires authentication for all customers accessing their bank accounts online

When a Bank of America user tries to log in from an unrecognized device or location, the bank may require additional verification steps (such as a security code sent via text or email) to ensure it is a legitimate user.⁶

6. Using a credit card online

For an online transaction, the customer typically provides their credit card details (card number, expiration date, CVV), but MFA requires an additional step for verification. 

Real-life example: Mastercard identity check (3D Secure 2.0)

Mastercard and other payment providers like Visa use a technology called 3D Secure (3DS) for online credit card transactions. With 3D Secure, when a cardholder attempts to make an online purchase, they will be required to authenticate the transaction with a second authentication factor.

For example, they may receive an OTP via SMS or email, or they may need to approve the payment via their bank’s mobile app (via push notification).⁷

7. Securing access to cloud services

MFA is used to secure access to cloud platforms to prevent unauthorized access and protect sensitive data. Most popular cloud platforms include multi-factor authentication as a core security feature. 

Real-life example: Google Cloud offers MFA as part of its security model

Google Cloud requires users to provide two or more authentication factors (such as a password and a code sent to their mobile device) to access cloud resources. This applies to administrators and regular users accessing Google Cloud services like GCP (Google Cloud Platform), Google Drive, and other services containing sensitive data.⁸

8. Securing developer access to code repos (GitHub, GitLab)

Developers and organizations rely on platforms like GitHub and GitLab to store and collaborate on source code. To enhance security, developers are typically required to use MFA methods such as:

• Authentication apps (Google Authenticator, Microsoft Authenticator)
• SMS codes
• Hardware security keys (YubiKey)

Real-life example: GitHub mandated MFA for all developers 

GitHub required all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA)  in 2023.⁹

9. Securing access to sensitive healthcare data  (PHI) 

Healthcare providers and organizations deal with sensitive patient information (PHI) and are subject to compliance standards like HIPAA. MFA is necessary to prevent unauthorized access to health records, secure patient data, and meet regulatory compliance requirements.

Real-life example: Cerner uses MFA to secure sensitive patient data

Cerner, a major electronic health records (EHR) provider, uses MFA to secure its systems where medical professionals access sensitive patient data. Users are required to enter a password along with a second factor such as a one-time password (OTP) or biometric data (like a fingerprint or facial recognition) when logging into Cerner’s systems.¹⁰

10. Accessing legal databases

Legal professionals and law enforcement officers who access databases containing sensitive information must use MFA to ensure that only authorized individuals can view confidential or classified data.

For example, lawyers accessing a legal database (e.g., LexisNexis or Westlaw) use MFA to secure their login process. They enter their password (first factor) and then authenticate using a fingerprint scan or push notification.

Real-life example: Law firm uses MFA to enhance access security

Freeths LLP, a UK law firm, integrated S-Key’s biometric, fingerprint-activated access control cards into their existing access control system, effectively implementing multi-factor authentication (MFA).¹¹

11. Securing crypto & blockchain wallets

By default, crypto wallets and trading platforms like Ndax or similar platforms implement 2FA as standard security measures. 

Additionally, know your customer (KYC) process, a legal requirement for centralized exchanges, adds MFA security measures linked to a user’s data to access the account; in most cases, email and phone verification are required. 

• Exchange platforms like Binance, and Coinbase enforce MFA to secure account access and withdrawals.
• Users often use an authentication app, hardware token (YubiKey), or biometric authentication (e.g., fingerprint).
• Some wallets require multi-signature authentication, where transactions need approval from multiple devices/accounts before execution.

Real-life example: TrueCode Capital implements YubiKey-based MFA to secure blockchain wallets

TrueCode Capital implemented YubiKey-based MFA to prevent phishing attacks and unauthorized access.¹²

12. Ensuring compliance with IRS MFA mandates

IRS mandates multi-factor authentication for tax professionals. The June 2023 change requires MFA to improve account security by requiring more than a username and password to authenticate identity when accessing any system, application, or device.

MFA should be used to secure client information on a tax professional’s computer or network and to access client information saved in tax preparation software. ¹³

Multi-factor authentication (MFA) examples

In our research, we highlighted how companies like Apple, PayPal, and Google leverage various MFA examples.

Identification based on what the user knows: Users need to provide information that only they are supposed to know. Some common examples are:

• Passwords
• Security questions
• Knowledge-based authentication

Identification using something the user possesses: Users need to demonstrate an object that they physically own to authenticate their identity. Some typical examples of this form of authentication are:

• Smart cards
• Mobile devices

Identification based on who the user is: This multi-factor authentication verifies an individual’s identification through unique biological traits. Some typical uses of this form of authentication are:

• Fingerprint recognition
• Facial recognition

Identification through location and time: This authentication is used to verify that access to a system or network is only permitted from authorized places and at specified times. Some typical examples of this form of authentication are:

• Geolocation
• Time-of-day restrictions: (e.g., access may be restricted between 9 a.m. and 5 p.m.)
• Time-based one-time passwords (TOTPs): (e.g., the user must provide a one-time password created depending on the current time)

Who uses multi-factor authentication MFA?

Multifactor authentication is a cybersecurity practice that requires users to submit two or more kinds of verification before gaining access to an account.

• Most individuals use their fingerprints or face recognition to verify their identity before unlocking their device. Some of their smartphone applications can also use biometrics in conjunction with a PIN or password to provide MFA within an app.
  
• Most corporate organizations, particularly those that handle sensitive data or have a large digital infrastructure (e.g. online banks, financial applications, and healthcare organizations) employ multifactor authentication to verify account holders’ identities before providing access or authorizing high-risk operations.

Further reading

• Top 10 Multi-Factor Authentication (MFA) Solutions
• Top 10 Open Source RBAC Tools Based on GitHub Stars

External Links

• 1. https://www.silverfort.com/wp-content/uploads/2018/12/BlueSnap-Case-Study-MFA-for-Sensitive-Assets.pdf
• 2. Help And Training Community.
• 3. 82% of companies unknowingly give 3rd parties access to all their cloud data | Wiz Blog. Wiz.io
• 4. https://www.cisco.com/c/dam/en/us/products/collateral/security/duo/zero-trust-duo-cs.pdf
• 5. https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-mfa
• 6. https://healthaccounts.bankofamerica.com/fraud-protection.shtml
• 7. https://www.mastercard.com/global/en/business/overview/safety-and-security/identity-check.html
• 8. https://cloud.google.com/identity-platform/docs/web/mfa/
• 9. About mandatory two-factor authentication - GitHub Docs.
• 10. https://www.oracle.com/a/ocom/docs/industries/healthcare/cerner-certified-health-it-transparency-and-disclosure.pdf
• 11. Freevolt Technologies Limited.
• 12. https://www.yubico.com/resources/reference-customers/cryptocurrency-truecode-capital-yubikey-case-study/
• 13. https://www.irs.gov/newsroom/multi-factor-authentication-key-protection-to-tax-professionals-security-arsenal-now-required