Go Without MFA or Data Backups: Which is Worse?

CISOs often face high-stake decisions. ?Imagine this hypothetical scenario: due to a critical system failure, a financial institution is forced to make a trade-off between two less-than-ideal options: go without multi-factor authentication (MFA) and all second-factor verifications for a month, or go a month without data backups. The security and continuity risks are substantial on both sides, and a choice must be made. What would you do?

That’s precisely the scenario posed on a recent CISO Series Podcast episode; listen to how host David Spark , veteran CISO and Partner at YL Ventures Andy Ellis , and Jadee Hanson , CISO at Vanta, answered:

Now let’s break down your options and the consequences of each.

The Consequences of Disabling MFA

MFA has evolved from an optional feature to a foundational security standard. Numerous studies have proven the effectiveness of MFA in deterring cyber attacks and preventing unauthorized access to critical systems and customer data. ?

Without MFA or other two-factor verifications, organizations must revert to single-factor authentication, relying on passwords alone. Unfortunately, passwords—no matter how strong—are notoriously vulnerable. Verizon’s 2023 Data Breach Investigations Report and LastPass both cite that over 80% of breaches involve stolen or weak passwords. Additionally, “123456” and “password” continue to rank among the most commonly used passwords, making accounts easy targets for brute force attacks and credential stuffing.

But even strong, unique passwords are susceptible to phishing, and attacks have a significantly higher success rate when targeting single-factor logins. Without MFA, the organization’s security shields are down, putting sensitive data at higher risk. “The minute you pull MFA controls, you should expect to be attacked within seconds,” commented Jadee Hanson. ?

Of course, turning off MFA also has other ramifications, too— let’s explore the compliance considerations. ?

MFA as a Compliance Mandate ?

As regulatory scrutiny around data security intensifies, MFA has become a critical requirement for organizations striving to meet compliance standards.

The Sarbanes-Oxley Act (SOX), for instance, mandates stringent controls over financial records, requiring MFA when accessing sensitive data. Similarly, the Gramm-Leach-Bliley Act (GLBA) emphasizes the need to safeguard customers' personal financial information, requiring institutions to evaluate the effectiveness of enhanced security measures like MFA. With upcoming changes in PCI DSS 4.0, which will mandate more robust authentication controls by 2025, and New York's NYDFS Cybersecurity Regulation, which already requires MFA for accessing sensitive data, the stakes are high and turning off MFA could create compliance issues, especially for our hypothetical financial institution. ?

The bottom line: is turning off MFA even temporarily a good option? ?

Let’s explore the alternative posed in our scenario: going without a data backup. ?

The Importance of Data Backups and the Risks of Going Without

Data backups are among the best defenses against ransomware attacks, providing a clean, isolated recovery option that lets organizations restore their systems without succumbing to ransom demands. Without reliable backups, however, companies face a stark choice: pay the ransom or risk losing critical data. Operating without backups for even a month leaves an institution’s resilience and data integrity at significant risk, as adversaries who can compromise networks effectively block the primary means of recovery, amplifying the pressure to pay. In fact, according to the 2023 Ransomware Annual Report , 58% of ransomware victims lacked a data backup, underscoring the vulnerability that inadequate backup protections create.

For this reason, standards like SOC 2 and ISO 27001 require businesses to ensure data is always accessible and can be quickly restored should something go wrong. Operating without a backup means that any breach, data corruption, or hardware failure could result in irrecoverable data loss, affecting everything from transaction history to customer accounts to severe compliance violations, regulatory penalties, and operational disruptions.

Weighing the Risks: MFA vs. Data Backup

Faced with the options, which risks are more immediate, manageable, and containable? ?

MFA is a first line of defense, and removing it exposes sensitive systems to unauthorized access, compromising sensitive data and organizational security. Without data backup, however, the institution could face an existential risk; a single, severe incident could wipe out critical data, halting operations entirely. ?

So, what would you do?

Risk management and preparedness are about anticipating the unexpected. Andy Ellis advises, “While we talk through these scenarios, and they’re completely hypothetical, recognize your bright lines and ones you’re not going to cross; there’s no scenario in which you’re going to say, ‘I can tolerate that.’ As an example, I cannot tolerate downgrading MFA; but in this situation, I can tolerate no backups.” ?

Closing MFA Gaps with Grip

Hypothetical scenario aside, MFA is a critical defense in protecting SaaS account credentials and mitigating unauthorized access. However, knowing which applications need MFA—especially high-risk apps or shadow SaaS —is often challenging. Grip enables teams to identify high-risk apps, assess their SAML or MFA support, engage stakeholders, and activate MFA to enhance security and reduce password-related support cases. To learn more about how Grip can provide comprehensive SaaS visibility and extend your MFA coverage across all applications, including shadow SaaS, book time with our team .

The CISO Series Podcast discusses varied topics in cybersecurity leadership, security issues, and how cybersecurity practitioners work with security vendors. Learn more and subscribe to the podcast series on their website .

This article was originally published on Grip.Security .

LAST CHANCE! Register now to save your seat for our webcast this Thursday, November 14, at 12:00 ET - SEC Cybersecurity Rule: Reflections & Realities After Year One.

It's been one year since the SEC Cybersecurity Rule went into effect. How has it impacted cybersecurity operations, and with the new US administration, what might change in year 2? Listen in as speakers Bob Zukis, Founder and CEO of the Digital Directors Network, and Idan Fast, CTO and Co-Founder of Grip Security, break down the challenges and discuss emerging risks that should be on every CISO's radar.

If you can’t attend the live session, registering will ensure you get the link to view the recording at your convenience. Register now .