Best Practices for Multi-Factor Authentication

Multi-Factor Authentication, sometimes called Two-Factor Authentication, is a method of proving your identity using something you know (typically a password) and something you have (a phone, a key, etc.) or something you are (e.g. fingerprint). It is the strongest protection against phishing, identity theft, and other account-takeover attacks. In this post, we’ll walk through some best practices to help you implement multi-factor authentication for the first time or just want to know how best to enforce it. 

For more information on multi-factor authentication in Agilicus AnyX, refer to our product guider or whitepaper.

What is Multi-Factor Authentication?

Simply put, multi-factor authentication needs at least two distinct categories of verification. That’s why a password and a PIN are still considered a single factor, for example. In the past, companies could only do multi-factor authentication with expensive hardware tokens. They also were always a completely different experience and never worked the same way. 

Agilicus uses a web interface that’s graphical and has consistent messaging so your users always get the same experience. Other providers use one of those devices with a VPN and then mount the share. But then the VPN stays up all the time. Does that mean the multi-factor authentication only worked once? If so, that’s a problem if you need it to be presented every day. Telling your users to just log out of the VPN doesn’t work, so you’re left trying to figure that out on your own.


The reason that multi-factor authentication is so strong is the risk that someone can guess your password is uncorrelated from the risk that I steal your phone. We’ve included best practices below, but it’s ultimately up to you to figure out how you want multi-factor authentication to apply and when it applies.

Best Practices for Multi-Factor Authentication

Avoid SMS 

One of the most common methods of multi-factor authentication is SMS text messages. The problem with that is SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. This is why we highly recommend avoiding using SMS for multi-factor authentication when other methods are available as it is not nearly as secure.

Using TOTP or WebAuthn

When should you use Time-Based One-Time-Password (TOTP) versus WebAuthn

Let’s start by understanding the differences between the two: 

  • WebAuthn is a huge family of standards. On your mobile phone, it’s the fingerprint or face ID or the special chip installed on Windows Desktop called a TPM (which is pretty common now because the Windows 11 requires it). There is a way to have that hooked up in your browser, but it’s not on by default. But you can also do push notifications through it. It’s a very strong approach. Webauthn is often interpreted as biometric, which isn’t completely accurate, but it does allow you to use biometrics. What’s great about this is not only that the biometric is completely unique to you, but the biometrics are only stored locally. This means when your users use Agilicus AnyX to unlock with the fingerprint on their phone, we don’t get that fingerprint. We’ve never seen it. We can’t even tell that’s happened. It’s completely secure. 
  • Time-Based One-Time Password (TOTP) produces distinct numerical passwords using a standardized algorithm that incorporates the present time as an input. These time-dependent passwords can be used offline and offer enhanced account security as a user-friendly second factor. In most cases, we recommend WebAuthn over TOTP. 

Now for frequency. Should users be prompted with a second factor every time they log in? Or once a week? Enforcing multi-factor every time a user logs in might cause multi-factor fatigue and can actually lead to attacks. Instead, presenting once a week plus on every new device has been a compromise that has worked well for our customers.

da5eb6a8 image

Enforce Multi-Factor Authentication for Other Devices

What about if you need to enforce multi-factor authentication for things that aren’t web-based like a share, remote desktop, or a desktop application? Agilicus AnyX uses the browser as the facilitator to make it easy to enforce for all your devices, not just users’ own devices. Overall, it makes it a seamless process for you.


These best practices will help you set up Multi-Factor Authentication effectively and exactly the way you want in Agilicus AnyX.

If you have any feedback, questions, or are experiencing any issues, message our team via the chat button in your administrative portal or email us at