EU Presidency Series: Securing Irish Government in a High-Stakes Year #5
Stolen credentials are involved in the majority of data breaches. Not sophisticated zero-day exploits. Not elaborate supply chain compromises. Usernames and passwords — obtained through phishing, credential stuffing, or purchasing them from other breaches — used to walk through the front door of organisations that trusted a single factor to protect everything behind it.
Multi-factor authentication (MFA) is the most direct response to this risk. When implemented well, it means that a stolen password alone is not enough to compromise an account — an attacker also needs the second factor, which they typically don’t have. Microsoft has estimated that MFA blocks over 99% of account compromise attacks. For a control that costs relatively little to deploy, that is a remarkable return.
And yet, across Irish public sector organisations, MFA adoption remains uneven. Some systems have it; others don’t. Some staff use it; others have been granted exceptions. During a period when credential harvesting campaigns targeting Irish government are a credible and active threat, those gaps are worth taking seriously.
How credential attacks work in practice
Understanding why MFA matters requires understanding what attackers actually do.
Phishing remains the most common method of credential theft. A convincing email — referencing a real event, appearing to come from a trusted colleague or service, creating a sense of urgency — leads to a fake login page that captures whatever the user types. During the EU Presidency, the supply of credible pretexts for phishing campaigns is essentially unlimited: EU policy updates, interoperability briefings, calendar invitations, Microsoft 365 alerts.
Password spraying involves trying a small number of commonly used passwords against a large number of accounts. It avoids the lockout thresholds that catch brute force attacks and is often used against organisations with large numbers of users.
Credential stuffing uses combinations of usernames and passwords leaked in previous breaches — of which there are billions in circulation — against new targets, exploiting the fact that many people reuse passwords across personal and professional accounts.
In all three scenarios, MFA is the control that stops a compromised credential from becoming a compromised account.
Not all MFA is equal
When organisations implement MFA, they often reach first for the most familiar option: one-time codes sent by SMS. This is significantly better than no MFA at all, but it is worth understanding its limitations.
SMS-based codes are vulnerable to SIM-swapping attacks, where an attacker convinces a mobile carrier to transfer a victim’s phone number to a device they control. They are also susceptible to real-time phishing, where an attacker proxies the user’s login in real time and captures both the password and the SMS code before it expires.
Stronger MFA options — particularly full feature Identity Solutions (such as Cisco DUO) and hardware security keys (such as FIDO2-compliant devices) — are meaningfully more resistant to these attacks. For high-privilege accounts and senior staff who are attractive targets, these stronger options should be the standard.
The implementation challenges that matter
The technical deployment of MFA is generally straightforward. The harder challenges are organisational.
- Coverage gaps. MFA on Microsoft 365 is a good start, but it is only as useful as the systems it covers. VPN access, remote desktop, finance systems, HR platforms, and any other application that holds sensitive data or provides privileged access all need to be in scope. A partial MFA implementation provides partial protection.
- Service accounts and shared credentials. Many organisations have shared accounts — used by multiple people or by automated processes — that sit outside standard MFA policies. These are frequently high-value targets and need specific attention.
- Legacy authentication protocols. Older applications often use authentication protocols — basic authentication in email clients, for example — that cannot support MFA at all. These represent a bypass route around even a well-implemented MFA policy, and they need to be identified and either upgraded or blocked.
- User friction and exceptions. MFA adds a step to the login process. Without good change management and clear communication about why it matters, organisations frequently encounter resistance — and respond by creating exceptions that quietly undermine the whole programme. A culture where exceptions are easy to obtain is a culture where MFA protection is unreliable.
- Phishing-resistant MFA for privileged users. Standard MFA can still be bypassed by sophisticated real-time phishing attacks. For administrators, executives, and others with elevated access, phishing-resistant MFA — specifically FIDO2 hardware keys or passkeys — should be the standard, not the aspiration.
Your action this fortnight
Audit your current MFA coverage across all systems that hold sensitive data or provide administrative access. Identify the gaps — the applications not covered, the accounts with active exceptions, the legacy protocols still in use. Prioritise closing the gaps on externally accessible systems and privileged accounts first.
If MFA is already broadly in place, the next step is reviewing the strength of the methods in use and moving your highest-risk users to phishing-resistant options.
A single afternoon of honest audit work on MFA coverage is one of the highest-value security activities your organisation can undertake right now.
Paradyn works with Irish public sector organisations to design and implement MFA programmes that are comprehensive, practical, and sustainable. To set up a conversation about your identity security posture, reach out to the Paradyn team today.
