MFA and MyCena operate at different layers and are complementary. MFA verifies that the person presenting a credential is who they claim to be — it adds a second factor to the identity verification process. MyCena operates one layer below: it governs whether the credential the person is presenting can be stolen, shared, or phished in the first place.

When an employee types their password on a phishing page, the attacker captures it. They then pass the MFA challenge (often via attacker-in-the-middle techniques that capture session tokens, or by prompting the employee to approve a notification). MFA sees a valid credential plus a valid second factor. It has no mechanism to know the credential was obtained fraudulently.

With MyCena deployed, the employee never types the credential — so it cannot be captured on a phishing page. There is nothing for the attacker to obtain. MFA continues to provide identity verification. MyCena eliminates the attack surface MFA cannot address.