What are some effective strategies for implementing multi-factor authentication (MFA)? What are the must-to-know practices for MFA?

All I can say is start with Passkeys, we use authress for that, but you could be using anything. Relying on passwords at all just a bad idea, look at LastPass :(.

And if you are in the business app space, SSO always, MFA isn't quite so relevant there.

Great question! Since you asked about MFA, I'll sidestep passkeys until the end :)

MFA is difficult to implement well. There are SaaS companies dedicated to implementing it for their customers' services and apps, and they still struggle at times. If you find yourself having to implement it, it is definitely something you buy instead of build. It'll allow you to focus on your business instead of being pulled into the authentication time suck.

When evaluating MFA and how to implement it, it is important to remember that authentication is a chore for your users and they would rather not do it. So, by implementing MFA, you are making authentication more difficult and time consuming because you are adding more steps they need to figure out to use your service.

So, first question to answer, is it worth it? MFA will provide more assurance that the user accessing your service is who they say they are. What does that buy your business? How does that benefit your users? Depending on how much value you or your users stand to lose by allowing unauthorized access to their account, you may need to implement MFA.

Ideally, you'd delegate the responsibility of performing MFA to an identity provider of your users' choosing via single-sign on (SSO). SSO can take the form of social/platform login (Apple, Google, Microsoft) for a consumer-facing application or can be much much more involved in the B2B space. All the SSO protocols support the ability to request a certain level of authentication. Whether or not the identity provider allows you (the service provider) to request MFA is another matter.

If you are going down the path of layering MFA on your native authentication, you'll want to investigate using another SaaS to do that for you. They'll have figured out all the email/SMS/telephony integration and device integration while also allowing your users to pick their most convenient method. Most users will be familiar with one of the email/SMS/telephony options as most large-scale consumer companies offer SMS as the only MFA option these days. As for who to go with, all the cloud platforms have something. Another big player is Auth0/Okta. There are a handful of smaller options too like stytch and FusionAuth that may be worth investigating for more competitive pricing or ease-of-implementation.

That all said, as other comments have mentioned, if your users have the devices/OSes that support passkeys, you should definitely consider just implementing passkeys instead of a more traditional MFA approach. Getting back to my first point though, since passkeys are bleeding edge, it may just be confusing to your users in the short term as they may not have used passkeys yet. You'll have to walk them through wtf a passkey is, and why they can't just use SMS like they do everywhere else.

Happy to answer any specific questions you have!

Use Device based or SMS based authentication and implement application level MFA.

Must to know practices- Ensure authentication codes are only valid for a certain period of time