Back to blog
guideHR Techtechnical

MFA in HR SaaS: why 62% of French vendors still don't offer it

Published on 2026-06-046 min readCleanIssue

The reality

Out of the last 50 French HR SaaS products we audited, 31 offered no form of MFA to their users. No TOTP, no WebAuthn, not even SMS. Just an email and password.

For applications that store payslips, employment contracts, and social security numbers, that's a problem.

Why MFA is lagging

"Our clients don't ask for it"

The most common argument. And it's changing. With NIS2 and increasing enterprise requirements, MFA is becoming a prerequisite in security questionnaires. Not offering it means losing contracts.

"It's complicated to implement"

With Supabase Auth, Firebase Auth, or NextAuth, TOTP MFA can be set up in a few hours. WebAuthn (security keys, Face ID, Touch ID) requires a bit more work but remains accessible.

"It degrades the user experience"

A valid argument in 2020. In 2026, everyone uses an authenticator on their phone. And passkeys make authentication even smoother than a traditional password.

What we find in audits

When MFA isn't in place, we systematically find:

  • Weak passwords: no complexity requirements, no checking against compromised password lists
  • No brute force protection: no rate limiting on the login endpoint, no captcha, no lockout after X attempts
  • Sessions too long: tokens valid for 30 days with no revocation mechanism
  • No suspicious login detection: a login from a new country triggers no alert

    • All of these problems are mitigated by MFA. Even if an attacker gets the password, they need the second factor.

    The 3-step action plan

    Step 1: offer optional TOTP

    Start by offering TOTP authentication (Google Authenticator, Authy) as an option. Encourage it without forcing it. Measure adoption.

    Step 2: make MFA mandatory for admins

    Admin accounts have access to all data. They must be protected first. Make MFA mandatory for admin and super-admin roles.

    Step 3: WebAuthn for everyone

    Passkeys are the future. They're more secure than TOTP (phishing-resistant) and simpler for users. Start integrating them now.

    CleanIssue recommendation

    During our First Review, authentication mechanisms are one of the first points analyzed. If your HR SaaS doesn't offer MFA, it's a strong signal to your clients that your security posture needs improvement.

    Go further

    Explore the HR Tech page

    The CleanIssue overview for HR, payroll, and recruiting software.

    See the External Review

    The fastest format to clarify the real exposure of an HR product.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    technicalguide

    File uploads in an HRIS: a practical security guide

    File upload features are everywhere in HR SaaS. They're also one of the most underestimated attack vectors.

    2026-06-02 · 8 min read
    guidetechnical

    Zero Trust for a small SaaS team: where to start

    Zero Trust isn't reserved for large enterprises. Here's how a team of 5 to 30 can apply Zero Trust principles without heavy infrastructure.

    2026-06-03 · 7 min read
    remediationtechnical

    Fixing vulnerabilities: step-by-step remediation guide for developers

    How to implement fixes after a security audit. RLS code, authentication, API — concrete examples.

    2026-02-15 · 8 min read

    Sources

    Written by CleanIssue
    Reviewed on 2026-06-04

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit