---
id: "claim-mfa-blocks-common-attacks"
type: "claim"
source_timestamps: ["¶9"]
tags: ["cyber-hygiene", "mfa"]
related: ["action-implement-mfa-passkeys"]
confidence: "high"
testable: true
speakers: ["Daniel Dobrygowski"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Multifactor authentication alone blocks the most common cyberattacks

**Claim:** [[entity-daniel-dobrygowski|Daniel Dobrygowski]] claims that implementing basic multifactor authentication (MFA) is sufficient to block the vast majority of common cyberattacks organizations face. It is the rationale for the quick-win action [[action-implement-mfa-passkeys]] — step 1 of [[framework-dobrygowski-smb-cyber-defense]].

**Source confidence:** high. **Testable:** yes.

> [!warning] Enrichment validation — TRUE BUT OVERSTATED ("foundational, not a silver bullet")
> Identity weaknesses are central to modern attacks (Palo Alto reports identity weaknesses in ~90% of investigations and recommends "require MFA and passkeys"); CISA/NIST/vendors consistently rank MFA among the highest-ROI controls. So MFA blocking *many* common credential-based attacks is accurate. But the stronger "MFA *alone* blocks the *vast majority*" is overstated: attackers increasingly bypass MFA (MFA-fatigue, SIM-swap, session-token/cookie theft) or attack non-MFA-protected components (vulnerable web apps, misconfigured cloud). Ransomware, supply-chain compromise, and unpatched-vulnerability exploitation can proceed even with MFA in place. MFA must be part of layered defense: patching, configuration hardening, monitoring, and incident response.
