MFA Risk Reduction Calculator
Multi-factor authentication (MFA) dramatically reduces account takeover risk by requiring a second authentication factor beyond a password. This calculator takes the baseline account compromise risk (annual probability) and applies an MFA risk reduction factor to compute the residual risk after MFA deployment. MFA types vary in effectiveness: SMS OTP offers the least protection, while FIDO2 hardware keys (passkeys) provide phishing-resistant authentication that blocks even sophisticated real-time phishing attacks. Use the MFA effectiveness percentage to model different MFA types and their impact on your organization's residual risk.
MFA risk reduction formula
Risk blocked = baseline risk × (MFA effectiveness / 100)
Residual risk = baseline risk × (1 - MFA effectiveness / 100)
For a baseline risk of 5% and MFA effectiveness of 99.9%: risk blocked = 5% x 0.999 = 4.995%, residual risk = 5% x 0.001 = 0.005% (about 5 in 100,000 accounts per year). This illustrates why MFA is one of the highest-impact security controls available.
MFA type effectiveness comparison
- SMS OTP: approximately 76% reduction in automated attacks (CISA). Vulnerable to SIM swapping and SS7 exploitation.
- TOTP app (Google Authenticator, Authy): approximately 99% reduction in automated attacks. Phishable via real-time proxy tools.
- Push notification (Microsoft Authenticator with number matching): approximately 99.9% reduction. Resistant to MFA fatigue with number matching enabled.
- FIDO2 hardware security key or passkey: approximately 99.9%+ reduction, phishing-resistant. Recommended by NIST SP 800-63B AAL3 and CISA Phishing-Resistant MFA guidance.
MFA risk reduction calculator: frequently asked questions
How much does MFA reduce account takeover risk?
Microsoft's research (2019) found that MFA blocks approximately 99.9% of automated credential stuffing and brute-force attacks. Google's research on hardware security keys showed that physical second factors block 100% of automated phishing attacks in their study. The exact reduction depends on the MFA type used.
What are the different types of MFA and their effectiveness?
TOTP (time-based one-time passwords, such as Google Authenticator): effective against automated attacks, but phishable. Push notifications (Authenticator app): convenient, but vulnerable to MFA fatigue attacks. Hardware security keys (FIDO2/WebAuthn): phishing-resistant, not susceptible to SIM swapping. SMS OTP: weakest; vulnerable to SIM swapping and SS7 attacks.
What is an MFA fatigue attack?
An MFA fatigue attack (also called MFA bombing) floods a user with repeated push notification approval requests until the user approves one out of frustration or confusion. Number matching and additional context in push notifications (NIST SP 800-63B Level 3 requirements) mitigate this attack.
Does MFA prevent all account compromises?
No. Phishable MFA (TOTP, SMS) can be defeated by real-time phishing proxies that relay credentials and OTPs in real time. Only phishing-resistant MFA (FIDO2/WebAuthn hardware keys or passkeys) provides protection against real-time phishing. Residual risk also includes insider threats and session hijacking.
What MFA does NIST SP 800-63B require?
NIST SP 800-63B requires multi-factor authentication at Authenticator Assurance Level 2 (AAL2) for most government systems. Hardware-based authenticators (FIDO2) are required for AAL3. For AAL2, TOTP apps and hardware tokens are acceptable.
Official sources
- CISA Implementing Phishing-Resistant MFA: cisa.gov.
- NIST SP 800-63B Digital Identity Guidelines (Authenticator Assurance Levels): pages.nist.gov/800-63-3/sp800-63b.html.
Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.