top of page
Search

How to Enable MFA for SaaS Applications in 2025: A Practical Guide for IT and Security Leaders


Let’s be honest—if you’re still relying on passwords alone to secure your SaaS environment, you’re already behind. In today’s SaaS-driven world, a compromised username and password can give attackers full access to your most sensitive data. That’s why Multi-Factor Authentication (MFA) has become the baseline—not the gold standard—for access security.


But rolling out MFA across dozens (or hundreds) of SaaS apps can feel messy. Some tools support it natively, some rely on identity providers, and some don’t support it at all. And let’s not forget the user pushback: “Another login step?” they groan.

This guide will help you cut through the noise and deploy MFA in a way that’s secure, scalable, and user-friendly.


1. Understand Your MFA Options

Not all MFA is built the same. Before you roll anything out, you need to understand the methods available—and how they align with your organization’s risk tolerance and user base.

Here’s a quick breakdown:

  • Authenticator apps (e.g., Google Authenticator, Microsoft Authenticator, Authy): Generate time-sensitive codes offline. Reliable and broadly supported.

  • Push notifications: Send a prompt to the user’s device for quick approval. Simple, seamless, but requires mobile infrastructure.

  • Hardware security keys (e.g., YubiKey): The strongest defense against phishing. Recommended for admins and high-value users.

  • Biometrics: Built-in fingerprint or facial recognition. Great for speed but limited by device support.

  • SMS codes: Still common but easily bypassed (e.g., SIM swapping). Use only if better options aren’t available.


Best practice: Start with what’s feasible today, but plan for a migration to phishing-resistant methods like passkeys or hardware tokens.


2. Audit MFA Support Across Your SaaS Stack

Before you can enforce MFA, you need to know which SaaS apps even support it—and how. Some offer native MFA options. Others require integration with your Identity Provider (IdP) such as Okta, Microsoft Entra ID, or Google Workspace.

But here’s the real challenge: many SaaS tools fly under IT’s radar entirely. Employees connect apps via OAuth, using personal emails or bypassing your IdP altogether.


This is where Waldo Security becomes essential. Waldo automatically discovers every connected SaaS application—including shadow apps and unmanaged OAuth grants—and flags which tools support MFA, SSO, or have no security controls at all. You can even use Waldo’s free OAuth Discovery Tool to analyze your current exposure.


3. Enforce MFA—Don’t Just Enable It

Enabling MFA in settings is one thing. Enforcing it is where the real protection kicks in.

Here’s what that looks like:

  • Set conditional access policies via your IdP to require MFA for all logins—or at least for high-risk roles and sensitive data.

  • Lock down OAuth grants using admin consent workflows or Google Workspace’s App Access Control.

  • Deprovision legacy logins that allow password-only access, especially for users with admin rights.


Tip: Waldo Security helps identify users and services that are bypassing MFA requirements—so you can close the gaps fast.


4. Make MFA User-Friendly

The biggest hurdle to MFA adoption isn’t technical—it’s human.

To keep adoption high:

  • Offer multiple options: Let users choose between push notifications, authenticators, or passkeys.

  • Educate, don’t dictate: Communicate real-world risks (like phishing) and explain how MFA protects both work and personal accounts.

  • Create visual setup guides: Walk users through MFA registration using step-by-step instructions or quick videos.

  • Provide clear recovery paths: Locked-out users shouldn’t have to wait days for a reset.


Looking for inspiration? Check out Google’s Security Checkup experience—it’s clean, visual, and user-centric.


5. Monitor MFA Coverage and Iterate

Deploying MFA isn’t a one-and-done project. You’ll need ongoing visibility into adoption rates, skipped logins, and app coverage.

Steps to improve over time:

  • Track MFA enrollment and usage by role, team, and location

  • Upgrade weak MFA methods (e.g., SMS → authenticator or hardware key)

  • Audit OAuth and unmanaged app access regularly with tools like Waldo

  • Run periodic phishing simulations to test real-world resilience


And when your team’s ready, consider exploring passwordless authentication as your next step toward modern identity security.


Final Thoughts: MFA Is Your First—and Easiest—Win

In a world where credential phishing is relentless and SaaS sprawl is real, MFA is the fastest way to reduce your risk surface. It’s not perfect—but it drastically lowers your odds of account compromise.


The key is to approach MFA deployment not just as a policy, but as a user experience challenge. Find the right mix of security and usability, monitor continuously, and evolve your approach as threats change.


And if you're unsure where your blind spots are, Waldo Security can help you identify which apps and accounts are silently bypassing your MFA strategy.


Comments

bottom of page