Multifactor authentication (MFA) represents one of the most effective security controls available, yet many casino gaming organizations struggle with implementation challenges. Understanding MFA’s importance and implementing it effectively can protect your operation from the most common attack paths used against casinos and tribal entities.

The 2023 high-profile cybersecurity breaches at MGM Grand and Caesars Entertainment in Las Vegas, NV, revealed the devastating impact of attacks that could have been prevented with proper MFA implementation.

In MGM’s case, a social engineering attack on the help desk allowed attackers to bypass security. In 2024, CyberArk’s Identity Security Threat Landscape Report identified that 93% of organizations that experience one breach will suffer multiple breaches. Implementing MFA creates a significant barrier against this pattern of repeated attacks on vulnerabilities.

▶️ WEBINAR CLIP: MGM & Caesars Cyber Attacks | RANSOMWARE: ARE YOU ON A HACKER'S HIT LIST? | 00:46

For casino gaming operations, MFA is particularly critical due to:

Continuous 24/7 Operations: Casino environments require remote access around the clock, creating persistent vulnerability points that MFA can secure.
High Staff Turnover: The gaming industry experiences significant staff turnover, making identity verification crucial for access management.
Multiple Connected Systems: Casino operations typically involve numerous interconnected systems spanning gaming floors, hotels, entertainment venues, and food service areas, all requiring secure access controls.

Implementing MFA effectively requires addressing common resistance points and following the industry’s best practices.

Addressing the “No Cell Phones on the Floor” Concern 📵

A common misconception prevents many casino operators from implementing MFA: the belief that gaming floor restrictions on mobile devices make multifactor authentication impossible. This thinking overlooks the reality of how cyberattacks actually target casino operations.

The highest-value targets aren’t on the gaming floor. Administrative accounts, IT systems, and remote access points—the primary entry points for attackers like those who breached MGM and Caesars—are typically managed by staff who work in offices, not on gaming floors. These critical systems can and should be protected with MFA regardless of floor policies.

MFA implementation should match your operational environment:

Administrative and IT staff can use mobile authenticator apps from their offices
Remote access users (by definition working off-site) have full access to mobile devices
Gaming floor supervisors and restricted areas can utilize hardware tokens that don’t require cell phones
Hotel, food service, and entertainment staff often work in areas where mobile devices are permitted

Rather than dismissing MFA entirely due to gaming floor restrictions, casino operators should implement a tailored approach that recognizes different operational zones have different security needs and device policies. The key is starting with your most critical systems—which are rarely managed from the gaming floor itself.

▶️ WEBINAR CLIP: The Importance of MFA & Access| RANSOMWARE: ARE YOU ON A HACKER'S HIT LIST? | 00:59

MFA Implementation Industry Best Practices

1. Start with Critical Systems:

Begin by implementing MFA for administrative accounts and remote access points, which are primary targets for attackers. These represent your highest value assets and greatest points of vulnerability.

2. Choose Appropriate MFA Methods:

Options include:

Mobile authenticator apps (recommended for most users)
Hardware tokens (ideal for high-security roles)
SMS verification (be aware that this is vulnerable to SIM swapping)

3. Plan for Exceptions:

Develop protocols for emergency access when MFA systems might be unavailable. Document these exceptions carefully and audit their use.

4. Train Staff Comprehensively:

Explain not just how to use MFA but why it’s essential. Use real-world examples like the MGM breach to illustrate consequences of bypassing authentication processes.

5. Monitor Compliance:

Implement logging and auditing to ensure MFA isn’t being circumvented. Regular review of these logs can identify potential security gaps before they’re exploited.

MFA – Key Takeaways:

MFA is considered one of the top cybersecurity controls for gaming operations
Proper implementation requires planning, training, and monitoring
Begin with securing administrative accounts and remote access
Real-world casino breaches demonstrate the consequences of inadequate authentication

Ready to strengthen your defense against unauthorized access?

Your operation requires expertise you can trust. REDW’s cybersecurity experts understand the unique challenges of casino gaming environments. We connect gaming leaders to cutting-edge resources to help you implement MFA solutions that balance your digital security with operational needs. Our team and trusted partners tailor implementation strategies that address your specific operational requirements while significantly enhancing your security posture.

Contact REDW today to begin building this critical security layer into your gaming or tribal operation.

contact an redw cybersecurity expert