Multi-Factor Authentication: Guide for Indian Businesses

Multi-factor authentication (MFA) is the single most effective control against account takeover. When MFA is enabled, over 99% of automated credential attacks fail — yet most Indian SMBs still rely on passwords alone. This guide covers every MFA factor type, how attackers bypass each one, which methods are genuinely phishing-resistant, and a practical rollout playbook sized for Indian businesses operating in the UPI, banking, and compliance landscape.

80%Reduction in account compromise when MFA is enabled (Microsoft Security Intelligence 2023)

61%Breaches that involved credential-based attacks (Verizon DBIR 2024)

Why Passwords Alone Are Not Enough

Passwords fail for a structural reason: they are a single static secret that can be stolen, guessed, reused, or phished — and the attacker only needs to succeed once. Credential stuffing tools can test millions of username-password combinations per hour against exposed login endpoints. Indian businesses are not exempt: CERT-In recorded a sharp rise in credential-compromise incidents across the BFSI, healthcare, and IT-services sectors in its 2024 annual report.

The regulatory context is hardening too. RBI mandates two-factor authentication for all internet and mobile banking transactions. SEBI's cybersecurity circular for regulated entities requires multi-factor controls on privileged and remote access. The DPDP Act 2023 — enforced by MeitY — places the burden of "reasonable security safeguards" on data fiduciaries, and a credential breach resulting in data exposure will be evaluated against that standard. See the DPDP compliance page for the full framework.

🚨

DANGER

A stolen password is silent. The victim does not know their credential is compromised until the attacker has already acted — and by then, data may have been exfiltrated, funds transferred, or accounts locked.

MFA Factor Types Explained

Every MFA factor falls into one of three categories: something you know (password, PIN), something you have (phone, hardware key), or something you are (biometric). Strong MFA combines at least two distinct categories.

SMS OTP

The most widely deployed second factor in India — driven by UPI, net banking, and SaaS logins. The bank or service sends a one-time code to your registered mobile number. Easy to use, no app needed.

Weakness: The code is transmitted over the SS7 signalling network, which is decades old and has known interception vulnerabilities. More practically, SMS OTP is defeated by SIM swap fraud and real-time phishing (AiTM). It is better than nothing but should not be the terminal choice for high-value access.

TOTP Authenticator Apps

Time-based One-Time Passwords (TOTP — RFC 6238) are generated locally on your phone using Google Authenticator, Microsoft Authenticator, or Ente Auth. The shared secret never leaves the device during authentication; only the 6-digit code does.

Weakness: The code is still a short-lived credential that can be phished in real time. An attacker who controls a convincing proxy between the user and the real site can relay the code before it expires (30-second window). TOTP is a significant step up from SMS OTP but is not phishing-resistant.

Push Notifications

Push-based MFA (Duo, Microsoft Authenticator, Okta Verify) sends an "Approve / Deny" prompt to your phone. The user taps Approve. Convenient — no code to type.

Weakness: Push notifications are the target of MFA fatigue attacks (also called push bombing). An attacker who has the victim's password floods their phone with approval requests at odd hours until the user accidentally or deliberately approves one. This technique was used in several high-profile supply-chain breaches.

Hardware Keys / FIDO2 / Passkeys

Physical security keys (YubiKey, Google Titan) and FIDO2 passkeys stored in device TPMs implement the WebAuthn standard. Authentication is a public-key cryptographic challenge: the device signs a challenge from the specific site's domain. A phishing site on a lookalike domain receives a response that is cryptographically bound to that domain — so the key simply will not work.

Strength: FIDO2 is the only factor type that is genuinely phishing-resistant by design. NIST SP 800-63B classifies FIDO2 authenticators as Authenticator Assurance Level 3 when combined with a PIN or biometric. No relay attack, no real-time phishing, no SIM swap vector.

Biometrics

Fingerprint or face recognition used as the "are" factor. On modern devices this verification happens on-device (Secure Enclave / TEE); the biometric template is never transmitted. In practice biometrics serve as the local unlock for a FIDO2 credential — so the phishing-resistance comes from FIDO2, not the biometric itself.

xychart-beta
  title "Relative Strength of MFA Factor Types"
  x-axis ["SMS OTP", "Email OTP", "TOTP App", "Push Notify", "FIDO2 Key", "Passkey"]
  y-axis "Strength Score (0-10)" 0 --> 10
  bar [3, 2, 5, 4, 10, 9]

How Attackers Bypass MFA

Knowing the bypass techniques is the fastest way to prioritise your MFA investment. The four primary bypass classes are:

SIM Swap Fraud

The attacker social-engineers your telecom provider (Airtel, Jio, BSNL) into porting your mobile number to a SIM card they control. Once the port completes, all SMS OTPs — for your bank, UPI app, and corporate logins — arrive on the attacker's phone. Indian telecom regulations require identity verification for SIM replacement, but social engineering and insider compromise incidents do occur.

Mitigation: Move high-value accounts off SMS OTP. For anything that cannot move yet, register a secondary email as a backup contact and enable account-activity alerts.

MFA Fatigue / Push Bombing

The attacker repeatedly triggers push notifications to the victim's authenticator app. After receiving 20 to 30 approval requests at 2 AM, many users eventually tap Approve to make the notifications stop. Microsoft and Cisco Duo both documented this attack class in major breach post-mortems.

Mitigation: Enable number matching — the app shows a two-digit number that the user must match on their phone, preventing blind approvals. Okta, Duo, and Microsoft Authenticator all support this. Set a failed-push lockout threshold.

Adversary-in-the-Middle (AiTM) Phishing

An AiTM proxy sits between the user and the real site. The user thinks they are logging in to their bank or SaaS platform; instead they are hitting a transparent relay. The proxy forwards credentials and the live TOTP or SMS OTP to the real site in real time, then captures the authenticated session cookie. The attacker replays that cookie without needing to MFA again.

Tools like Evilginx and Modlishka implement AiTM at scale and are available publicly. AiTM defeats all factor types that rely on shared secrets (SMS OTP, TOTP, push) because the relay is transparent to the authentication flow.

Mitigation: FIDO2 / WebAuthn is the only control that defeats AiTM at the cryptographic level. Phishing-resistant MFA should be mandatory for admin, finance, HR, and any role with access to sensitive data or production systems.

OTP Interception via SS7

The SS7 (Signalling System 7) protocol that telecoms use to route SMS globally has well-documented vulnerabilities that allow an adversary with telecom network access to intercept SMS messages. State-sponsored actors and well-resourced criminal groups have demonstrated this capability. The GSMA has published guidance on SS7 hardening, but end-user exposure persists.

graph TD
    A[Attacker has victim password] --> B{Choose attack path}
    B --> C[SIM Swap path]
    B --> D[Push Bombing path]
    B --> E[AiTM Phishing path]

    C --> C1[Social-engineer telecom
port victim SIM]
    C1 --> C2[Receive all SMS OTPs]
    C2 --> C3[Login succeeds]
    C3 --> Z[Account Compromised]
    style C3 fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style Z fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

    D --> D1[Flood push notifications
20-30 approval requests]
    D1 --> D2{User approves
fatigue tap}
    D2 -->|Yes| D3[Login succeeds]
    D2 -->|No - number matching| D4[Attack fails]
    D3 --> Z
    style D3 fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D4 fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

    E --> E1[Deploy AiTM proxy
Evilginx or similar]
    E1 --> E2[Victim logs in
through relay]
    E2 --> E3{MFA type?}
    E3 -->|SMS OTP or TOTP| E4[Relay intercepts code
session cookie captured]
    E3 -->|FIDO2 WebAuthn| E5[Crypto challenge bound
to real domain - FAILS]
    E4 --> Z
    style E4 fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E5 fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

MFA Factor Comparison

Factor	Phishing Resistant	SIM Swap Risk	Usability	Cost	Recommended For
SMS OTP	No	High	Very easy	Low	Consumer, low-risk
Email OTP	No	Low	Easy	Low	Low-risk apps only
TOTP App	No	None	Moderate	Free	General staff baseline
Push Notification	No (without number matching)	None	Easy	Licence fee	Staff — enable number match
Push + Number Match	Near-resistant	None	Moderate	Licence fee	Staff — strong baseline
FIDO2 Hardware Key	Yes	None	Easy once set up	Higher upfront cost	Admins, finance, privileged
Passkey (device TPM)	Yes	None	Very easy	Free on modern devices	All users — future standard

🛡️

SECURITY

NIST SP 800-63B explicitly deprecates SMS OTP for high-assurance authentication. CISA (US Cybersecurity and Infrastructure Security Agency) published an advisory in 2022 recommending that all critical-infrastructure organisations migrate to phishing-resistant MFA. The principle translates directly to Indian regulated entities under RBI and SEBI frameworks.

The India Context: UPI, Banking MFA, and Aadhaar

India's digital payment stack has its own MFA architecture worth understanding:

UPI transactions use a two-factor model: device binding (something you have — the registered phone with app installed and phone number linked) plus UPI PIN (something you know). This is genuine 2FA but relies on SMS for device binding, which has the SIM swap exposure noted above.
Net banking mandates OTP under RBI circular. Most banks use SMS OTP; a few offer TOTP options. Account-level risk scoring can trigger additional challenges.
Aadhaar e-KYC OTP is used for onboarding across insurance, lending, and telco. It uses SMS OTP delivered via UIDAI. Aadhaar-based authentication for high-value transactions carries the same SS7 and SIM-swap risks.

For businesses that handle financial transactions or customer personal data, layering your own application-level TOTP or FIDO2 on top of whatever the bank or UPI layer provides is prudent defence-in-depth.

⚠️

WARNING

If you use the same mobile number for both your UPI PIN and your corporate email recovery, a single successful SIM swap could give an attacker access to both your business bank account and your corporate accounts simultaneously. Keep mobile numbers for high-value financial accounts separate, or use a non-SMS second factor for corporate accounts.

Rollout Playbook for Indian SMBs

A phased rollout lets you achieve meaningful risk reduction quickly without disrupting operations:

Phase 1 — Immediate (Week 1–2): Stop the worst gaps

Audit every SaaS tool your team uses. Identify which have MFA available but disabled.
Enable MFA for email (Google Workspace or Microsoft 365 first — email is the master key to every other reset flow).
Enforce TOTP or push MFA for all staff. TOTP is free; Google or Microsoft Authenticator apps are free.
Create break-glass procedures for lost-device scenarios so staff do not disable MFA to recover access.

Phase 2 — 30 Days: Harden high-risk roles

Identify admin accounts, finance team, HR, and anyone with production database or cloud console access.
Require phishing-resistant MFA — either FIDO2 hardware keys or passkeys stored in device TPMs — for these roles.
Enable number matching on all push-notification policies.
Implement a failed-authentication lockout: 5 failed MFA attempts in 10 minutes triggers a temporary lockout and an admin alert.

Phase 3 — 90 Days: Policy and monitoring

Document MFA policy in your information security policy (required for ISO 27001 and most customer audits).
Configure SIEM or cloud-provider audit logs to alert on: MFA disabled for any account, new authenticator device enrolled, successful logins from unusual geographies.
Run a simulated phishing exercise targeting your TOTP-protected accounts. This is the empirical proof of whether your staff recognise AiTM-style lure pages.
A free VAPT scan will surface any authentication endpoints that accept single-factor access or have misconfigured session management — common findings that MFA policy alone does not fix.

Bachao.AI, built by Dhisattva AI Pvt Ltd, includes authentication control checks in its automated VAPT test suite — surfacing missing MFA gates, weak session expiry, and credential-exposure issues without manual intervention.

🎯Key Takeaway

SMS OTP is better than no MFA, but it is not a destination. For Indian SMBs, the realistic minimum bar is TOTP with number-matched push for staff, and FIDO2 hardware keys or passkeys for every privileged and admin account. Phishing-resistant MFA is the only control that defeats AiTM proxy attacks, which are the dominant method used to bypass legacy MFA deployments today.

External References

NIST SP 800-63B — Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
CERT-In Cyber Security Guidelines for Organisations: https://www.cert-in.org.in
RBI Master Direction on Information Technology: https://www.rbi.org.in

For broader context on how authentication gaps appear in the VAPT findings landscape, see the Bachao.AI blog.

Frequently Asked Questions

Is SMS OTP enough for Indian business accounts?

SMS OTP is better than no second factor, but it is vulnerable to SIM swap fraud and real-time AiTM phishing. For any account controlling financial transactions, customer data, or production access, upgrade to TOTP authenticator apps at minimum, and to FIDO2 for privileged roles.

What is MFA fatigue and how does it work?

MFA fatigue is an attack where the adversary — who already has your password — sends repeated push notification approval requests to your phone. After enough prompts, users sometimes tap Approve by accident or to stop the alerts. Enabling number matching on push notifications breaks this attack by requiring active cognitive engagement.

Are passkeys the same as FIDO2?

Passkeys are a consumer-friendly implementation of FIDO2/WebAuthn stored in the device's secure enclave or a password manager. They carry the same phishing-resistance property: the cryptographic response is bound to the specific domain, so a phishing site on a lookalike domain cannot capture a usable credential.

Does RBI require MFA for all banking?

RBI mandates two-factor authentication for internet and mobile banking transactions under its circulars on information security. The most common implementation is password plus SMS OTP. Businesses running financial applications for customers must meet this baseline; internal admin systems should exceed it.

How should Indian SMBs handle employees who lose their authenticator device?

Define a break-glass recovery procedure before rollout. Options include: backup TOTP codes stored in a secure vault, a second hardware key enrolled as backup, or an admin-triggered account reset requiring video verification. Never allow self-service MFA removal without secondary verification — that pathway is an attacker's first target.

What does a VAPT scan find that MFA policy does not cover?

MFA policy governs your login page. A VAPT scan checks whether authenticated session tokens have appropriate expiry, whether API endpoints enforce the same MFA requirement as the UI, whether password-reset flows bypass MFA entirely, and whether tokens are exposed in logs or response headers. These are common gaps that policy documents alone cannot detect.