search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
MSPs


to access his accounts, flooding his phone with MFA notifications in a tactic known as “MFA bombing”. Joe described how attackers bombard a victim with pop-ups attempting to reset a password or log in from an unusual device. Eventually, the victim presses accept either by mistake or to make the pop-ups go away. Te Scattered Spider initial access broker group is believed to have


used the same tactic to get into Marks & Spencer last year. A single accidental approval can expose payment systems, customer data, and operational infrastructure. Te human element is what makes this so difficult to defend


against with basic controls. You can have the right policies on paper and still end up breached because someone had a busy aſternoon and just wanted the notifications to stop. Resellers who understand this and can explain it clearly to customers are having a more useful conversation than those still selling MFA as a compliance checkbox. 66% of consumers say they trust a company more if it enforces


MFA. Tat’s a business case as much as a security one, and it’s worth putting in front of decision-makers who aren’t naturally security-minded.


Beyond the basics Tere’s no denying that having MFA enabled is a serious deterrent to password-related attacks. Enhanced MFA takes it a step further by analysing the context of each login attempt, not just whether the right code was entered. It looks at location, device, operating system, browser, and behavioural patterns. If an account authenticates from London and then again from Vancouver two minutes later, that flags automatically. Legitimate users typically sail through without any extra friction. Suspicious ones get blocked or escalated for review. Tis is where resellers can add real value beyond the initial sale.


Configuring these rules properly, connecting them to existing infrastructure, and tuning them over time is not something most IT teams want to manage themselves. It’s also not something a customer can get from just buying a licence. Resellers can help provide that additional peace of mind that the technology is properly optimised.


The case for phishing-resistant MFA Enhanced MFA goes some way to mitigating MFA workarounds, but there’s an attack that’s more sophisticated than just tricking users. In an AiTM (Adversary-in-the-Middle) attack, the attacker sets up a proxy server that sits between the victim and the legitimate website they’re trying to log into. When the victim enters their credentials and completes their MFA challenge on what looks like the real site, the attacker’s proxy is passing everything through in real time, capturing the session cookie that gets generated once authentication succeeds. Tat cookie is what the legitimate service uses to keep the user logged in, and with it, the attacker can access the account directly. Unlike with MFA bombing, in this case, the user does everything


right; they just do it on the wrong site. Phishing-as-a-service kits have made this kind of attack accessible to attackers who wouldn’t previously have had the technical capability to pull it off. And SMS codes and standard push notifications alone don’t solve


this. Te code the user receives is valid, but the attacker’s proxy simply passes it through before it expires; the session cookie is still captured. Tis is where phishing-resistant MFA comes in. Phishing-resistant MFA uses cryptography rather than user approval to authenticate.


www.pcr-online.biz


Tere’s no prompt to accept or deny, so there’s nothing to bomb and nothing to intercept. Authentication happens automatically between the user’s device and the legitimate service. For customers operating in regulated sectors or those that have


already been through an incident, this is a particularly compelling conversation to have. Further phishing resistance can be achieved by adopting


FIDO2-based security measures or biometric verification. FIDO2 is developed and published by the FIDO Alliance as the gold standard. FIDO2 combines WebAuthn – the browser/server standard, and CTAP2 – how security keys or devices talk to the browser. Together, they enable passwordless or strong MFA using cryptographic keys. FIDO2 fundamentally removes the conditions phishing relies on. Instead of trying to detect or block phishing, FIDO2 helps reduce the efficacy of phishing by removing the onus from the user and leading to a better experience and stronger security. Several national and international cybersecurity bodies,


including CISA, put out a joint advisory advocating that phishing- resistant MFA be adopted on a broad basis as the response to Scattered Spider-style attacks. For resellers working with clients in financial services, healthcare, or critical infrastructure, that kind of government-backed guidance is a highly persuasive selling point.


Where the channel opportunity sits Selling MFA as a product is one thing. Te more valuable work is in the deployment, integration, user training, and ongoing support. Customers who’ve had a bad experience with MFA, usually because it was rolled out with too much friction and not enough explanation, oſten need help rebuilding confidence in the technology before they’ll extend it further across their organisation. MSPs and resellers that can handle that conversation, and help


customers move from basic push notifications to context-aware or phishing-resistant authentication, are offering something genuinely worth paying for. Te regulated sectors in particular will pay more for partners who understand the compliance angle and can speak to specific frameworks rather than just selling on features. When it comes to MFA, the stickiest revenue isn’t in the licence


sale, it’s in configuration, tuning, training, and support. Tese are the top three conversation openers that can naturally lead to a discussion about ongoing work rather than a one-off purchase. Te market gap: Only 40% of UK businesses have rolled out two-


factor authentication, despite leaked credentials being involved in 22% of all confirmed breaches. For any customer who thinks MFA is yesterday’s problem, that number reframes the conversation quickly. Tere’s still a large pool of prospects who haven’t done the basics. Te human element: MFA bombing and AiTM attacks work not


because the technology fails, but because people do. A customer who has already deployed basic MFA is probably still exposed to both. Tat’s a genuine conversation about whether what they have is actually fit for purpose, not a sales pitch dressed up as one. Compliance and legislation: Layering in the compliance


argument, PCI DSS, Cyber Essentials, and the CISA joint advisory on Scattered Spider, gives regulated-sector customers a reason to act that goes beyond best practice guidance. MFA isn’t a solved problem, but it’s one the channel can fix.


May/June 2026 | 41


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52