IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

#
Data Protection
#
MFA
#
Advanced Persistent Threat Protection

Exclusive: SecurEnvoy's Michael Downs on MFA gaps and rising attack risks

Thu, 4th Dec 2025
Author image
By Jake MacAndrew, Editor

Despite years of warnings about credential-based attacks, multi-factor authentication (MFA) is still far from universal.

According to the 2025 Cyber Security Breaches survey, only around 40 per cent of organisations deploy MFA as standard practice, even as weak or stolen passwords continue to feature heavily in today's security breaches.

For Michael Downs, Vice President of Global Sales at British cybersecurity vendor SecurEnvoy, this gap reflects a failure to understand how modern MFA has evolved, just as threats have become more complex.

The Verizon Data Breach Investigations Report (DBIR) 2025 also points to a disconnect between known threats and defensive behaviour, compromised credentials being the initial access vector in 22 per cent of breaches. An earlier report found that around 80 per cent of breaches stemmed from password-related vulnerabilities.

"Two-thirds of consumers would trust a brand that they're buying from if it had MFA. So I think that tide has turned. I think that people now realise that if you deploy MFA from day one, then you build your security posture around that," says Downs. "If you're cutting out 80 per cent of breaches because of these weak passwords, then you know that's a big chunk you've done already. "

Major attacks have accelerated the shift. Downs points to the 2021 Colonial Pipeline incident in the United States, where an outdated VPN connection with a weak password enabled a breach that disrupted fuel supply across the eastern seaboard.

The fallout triggered a presidential order requiring MFA across U.S. government agencies.

Similar guidance from the National Institute of Standards and Technology, and joint advisories from security agencies across the Five Eyes countries, urging organisations to deploy phishing-resistant MFA, have reinforced the message.

As attacker tactics evolve, the distinction between traditional MFA and more advanced phishing-resistant methods has become important.

Downs says that standard MFA typically relies on a second factor, such as a one-time code or push notification.

While MFA remains a strong layer of security, threat actors instead attempt to manipulate the human-in-the-loop. Several high-profile incidents in the UK, including attacks on Marks & Spencer, Harrods, Co-op and Jaguar Land Rover, have been linked to MFA bombing.

The method targets human behaviour rather than technology. Downs says attackers often already possess stolen credentials and then repeatedly trigger authentication prompts in the hope that a user will accept one out of irritation or confusion.

The MFA prompts are simply a mechanism for social engineering. "It's a human fatigue thing...If you keep requesting an MFA reset or approval, eventually someone might press yes just to get rid of [the notifications].

Phishing-resistant MFA can counter this by aligning with the FIDO2 standards for passwordless authentication.

SecurEnvoy's suite of products offers both types of MFA. Still, it adds additional defence mechanisms, such as challenge-and-response verification for service desks, anomaly detection for unusual login patterns, and location-based checks (for example, logging in from Toronto and then London 15 minutes later, as Downs pointed out).

While many vendors are pushing cloud-only identity services, SecurEnvoy is seeing strong demand for on-premises and fully air-gapped installations, particularly in finance, retail, defence, pharmaceuticals and manufacturing. The driver is straightforward: data sovereignty and strict regulatory environments.

Downs says both organisations and entire countries often insist that specific systems remain on their own networks. Some organisations deploy MFA on their own infrastructure, and even go further with a fully air-gapped option that provides no internet access at all.

He argues that organisations should treat MFA as a foundational element rather than a bolt-on. Deploying it early simplifies compliance, improves customer trust, and prevents the majority of low-hanging credential attacks from escalating.

"Being able to deploy in multiple environments is really a key thing. Having that flexibility is important," says Downs. "Making sure that a solution is easy to deploy and also very usable by the user, that's the most important thing."

Related stories
AI reshapes cyber threats as experts warn on automation
National AI plan to turbocharge Australia’s AI uptake
Tenable hack of Copilot AI agent exposes fraud risks
Exclusive: Media.com helps verify users amidst Australia’s U16 social media ban
Networking as a financial catalyst: Unlocking true cost efficiency

Top stories

Keeper links identity security alerts into ServiceNow
Twilio predicts stricter AI customer service rules by 2026
Precision Group unites IT & ESG for SGP+S Level 3
Service-based IT & agentic AI to reshape 2026 spend
AI set to power autonomous workflows & new work models