The FTC has joined the drumbeat of several other government agencies in recent months, calling attention to the importance of adopting the latest multi-factor authentication (MFA) methods. In this article, we examine three recently settled FTC enforcement actions – Chegg, Drizly and CafePress – and how they highlight the Commission’s evolving MFA expectations. We further explore phishing-resistant MFA, how it differs from legacy MFA practices and best practices for implementation. See our two-part series on digital identity management in a post-pandemic world: “A Framework for Identity-Centric Cybersecurity” (Mar. 24, 2021); “SolarWinds, Zero Trust and the Challenges Ahead” (Mar. 17, 2021).