Contact Us

Why Multi-Factor Authentication in Umbraco Isn’t Optional

(And What to Do About It)

Dave · 18th December 2025

Let’s not sugar-coat it. Passwords alone are no longer enough. Not for your website, your content management system (CMS), or anything remotely valuable online. And if you are managing content in Umbraco, it is time to stop thinking of multi-factor authentication, MFA, as a nice-to-have and start seeing it for what it is: your front line of defence.

This blog walks through what MFA really means for your Umbraco setup, why it matters more than people realise, and how it fits neatly into securing your wider digital ecosystem. If you are connecting Umbraco to other platforms, tools or user systems, MFA is quite often the missing piece of the security process.

And no, this one is not just for the IT team.

 

Let’s Start with the Basics: What Is Multi-Factor Authentication?

Multi-factor authentication confirms a user’s identity by requiring two or more pieces of evidence during login. 

Also known as two-factor authentication, it’s already something you’ve probably used today. Password plus a code on your phone. Password plus a Face ID prompt. That is MFA.

The three common factor types are:

  • Something you know, like a password
  • Something you have, like a mobile phone or authentication app
  • Something you are, like fingerprint or face ID

If someone steals your password, they still cannot get in without that second factor.

 

Why MFA Still Matters Even on a Secure CMS

Umbraco has a solid security record and is far less vulnerable than many other CMS platforms out there. But even the best systems cannot protect you from human behaviour. Weak passwords, reused credentials and predictable login patterns are still the biggest risks for any website.

Automated bots sweep the internet constantly, trying the same password on every login page they can find. They are not hunting for Umbraco. They are simply hunting for opportunity.

MFA shuts that door completely, even if someone knows your password.

 

Why MFA Is a Must-Have for Umbraco Websites

We get it. MFA can feel like an extra hurdle, especially when you are trying to quickly update content in the Umbraco backoffice. But for Umbraco websites, where users often have access to client data, integrations, business logic, member profiles, content models and occasionally customer data, MFA is one of the most effective security measures you can put in place.

Here is why it matters.

 

1. CMS Access Is a High Value Target

The Umbraco backoffice is not just a place to upload images or add blog posts. It is a gateway to:

  • content
  • integrations
  • Umbraco Members support
  • forms and submissions
  • application settings
  • sometimes e-commerce
  • payment history and personal data

If someone unauthorised gets in, they can do real damage quickly.

 

2. Passwords Are the Weakest Link

No password policy can prevent human behaviour. People reuse passwords, write them down, share them, or use them across multiple services. MFA adds a strong second barrier that compensates for all of that. Even better? Passwordless login is becoming more common through MFA - letting you ditch the password altogether in favour of biometrics or trusted devices.

 

3. Cloud Environments Raise the Stakes

If you use Umbraco Cloud or host on shared infrastructure, MFA becomes even more important. More collaborators, more logins and more moving parts means more places things can go wrong without proper authentication methods in place.

 

How MFA Works in Umbraco and Where It Fits in Your Setup

Modern versions of Umbraco use ASP.NETCore Identity, which means MFA is entirely possible when you connect Umbraco to a compatible authentication provider. This gives you a secure and flexible way to manage authentication across multiple systems, not just the CMS.

Common approaches involve integrating Umbraco with an identity provider that supports MFA, for example through identity providers such as Azure AD, Auth0, Okta etc.

Once connected, you can enable MFA methods such as:

  • time based one time passwords via apps like Google Authenticator app or Microsoft Authenticator app
  • push notification approvals
  • Text messages or voice calls
  • hardware keys like YubiKey
  • biometric authentication
  • security questions (although not ideal as a primary method)
  • conditional access rules

This gives you enterprise grade authentication without bolting MFA logic directly into the CMS. It also means your MFA policies stay consistent across your wider digital ecosystem, which is exactly where our Third Party Software Integrations service comes in.

 

Custom MFA Flows

You may not want every user to complete MFA. For example:

  • editors may not need the same access controls as administrators
  • some workflows may require MFA only for sensitive actions
  • you may want conditional MFA based on IP, device or time of day

These custom flows are entirely possible. They are fiddly, but they are the kind of fiddly we enjoy.

If you’re planning to go down this route, you could also explore using Login Providers and the UmbracoIdentity package to handle it, which can save you from reinventing the wheel.

Got Questions? Here Are the Ones We Hear Most

Yes. Security is not a question of trust. It is a question of risk. MFA turns human error into a near-miss rather than a breach.

Barely. Most authenticator apps are fast and can remember trusted devices for a period of time. It's also possible to allow login without prompts from known IP lockdown ranges.

Yes. We have implemented this for multiple clients. It centralises identity management and allows you to apply the same MFA policy across all your apps.

You can still add MFA through an identity provider, but older versions may require more custom work. If you are still on Umbraco 8 or earlier, we recommend reviewing your upgrade path.

Security Is Only as Strong as Your Weakest Link

Even the best MFA setup can be undone if the rest of your digital ecosystem has security gaps. For example:

  • does your CRM enforce MFA?
  • are API keys stored securely?
  • are data transfers encrypted with SSL Certificates?
  • are permissions aligned across systems?
  • is your Content Security Policy properly configured?

Security only works when everything works together. This is why identity, MFA and integrations go hand in hand.

 

Need Help Locking Things Down?

If MFA in Umbraco is on your radar but not yet in place, do not wait until something forces your hand. The setup does not have to be painful, and it definitely does not need to become a six month project.

We can help you:

  • audit your current authentication setup
  • recommend the right identity provider
  • configure MFA for Umbraco and integrated platforms
  • align policies across your wider ecosystem
  • document everything clearly

No jargon. No unnecessary tech. Just a secure setup that works.

 

Wrapping Up: MFA as Part of Your Bigger Security Picture

MFA in Umbraco is not about ticking a compliance box. It is about protecting your organisation, your content and your users. It is quick to implement, easy to use and highly effective.

And when you connect Umbraco to a wider identity provider, MFA becomes part of a consistent, joined-up security posture across your entire digital estate. Whether you’re securing back-office administrators, user groups, or front-end sign in processes for Umbraco users.

If you want help putting the right structure in place - from manual enablement to automating builds - we are here.

Contact us via the form and we’ll get the ball rolling.