MFA in the Age of AI — Why It's No Longer Optional

For decades, usernames and passwords were considered "good enough." That era is over. Artificial intelligence has handed attackers tools that make traditional authentication dangerously inadequate — and multi-factor authentication (MFA) has become the single most important security measure any organization can deploy today.

What Is MFA?

MFA requires users to verify their identity with more than just a password. It adds a second factor — something you have (a phone, a token, an authenticator app) or something you are (a fingerprint). Even if an attacker steals your password, they can't get in without that second factor.

Common methods include SMS codes, time-based one-time passwords (TOTP) via authenticator apps, push notifications, voice calls, and email codes. Each has trade-offs between security and convenience, but the key point is simple: any form of MFA is dramatically better than no MFA at all.

The AI Threat: Why MFA Became Urgent

AI-Powered Phishing Is Now the Norm

According to the KnowBe4 2025 Phishing Threat Trends Report, roughly 83% of phishing emails now contain AI-generated content. These aren't the sloppy scam emails of the past — they're grammatically perfect, personalized, and reference real projects and colleagues. Research shows AI-crafted phishing achieves click-through rates above 50%, compared to around 12% for traditional phishing.

The APWG recorded 4.8 million phishing attacks in 2024. SaaS and webmail platforms are the second most targeted category, accounting for over 19% of all attacks.

Voice Cloning and Deepfakes

AI voice cloning now needs just seconds of audio to produce a convincing clone — complete with natural intonation, rhythm, and breathing. In 2024, a finance worker at Arup was tricked into wiring $25 million after a deepfake video call where the CFO and colleagues were all AI-generated. The CrowdStrike 2026 Global Threat Report documents attackers using voice cloning to impersonate executives and IT staff in real-time calls to bypass security procedures.

Attacks Are Getting Faster

CrowdStrike's 2026 report shows an 89% year-over-year increase in AI-enabled attacks. Average breakout time — from initial compromise to lateral movement — has dropped to 29 minutes. The fastest observed: 27 seconds. IBM found over 300,000 stolen ChatGPT credentials for sale on the dark web in 2025 alone.

Insurance Now Requires MFA

Cybersecurity insurance carriers increasingly mandate MFA as a baseline condition for coverage. Without it, claims may be denied or premiums may become prohibitive.

Ease of Use Is the Make-or-Break Factor

MFA only works if people actually use it. The most secure system is worthless if users circumvent it or flood the helpdesk every morning. This is especially true for external users — partners, clients, contractors — who have zero tolerance for a bad login experience.

Effective MFA must be simple to enroll, flexible in methods, quick to deploy, and unobtrusive in daily use.

MFA for HCL Domino by Prominic.NET

For organizations running HCL Domino — Notes email, Verse, iNotes, Nomad Web, or custom web applications — Prominic.NET developed MFA for HCL Domino.

• Five authentication methods: SMS, Call, TOTP (Google Authenticator, Microsoft Authenticator, Authy), Push-Verify (dedicated iOS/Android apps), and Email.

• Installed in minutes: Runs on the Genesis platform. Two steps — install Genesis, then run one console command: tell Genesis install mfa-full. Most installations take 10–15 minutes.

• Works across Domino versions: Supports HCL Domino R9 FP8 through the latest releases.

• Customizable: Fully brandable UI — logos, colors, text, and multi-language prompts.

• Free for small teams: The Freemium edition includes full MFA functionality for up to 25 users. Commercial plans are available as Monthly Per User or Monthly Unlimited (with support included), both through prominic.shop.

• Critical for SaaS-enabled Domino platforms: When Domino applications serve external users over the web, the attack surface expands dramatically. External users are outside your security perimeter, and their login portals are discoverable by attackers. MFA for HCL Domino supports secondary address books, making it well-suited for SaaS deployments managing external users in separate directories.

The Bottom Line

AI has removed the barriers for attackers. Phishing emails look perfect. Voices can be cloned in seconds. Fake login portals appear instantly. Passwords alone are no longer enough.

MFA is the most impactful security measure you can deploy today — for Notes email, for Domino web apps, and especially for SaaS-enabled platforms serving external users. But it has to be MFA that people will actually use.

The attackers have AI. Make sure your front door has more than just a password.