Multi-Factor Authentication (MFA)
A security control that requires users to verify their identity using two or more independent factors before gaining access.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) — also called two-factor authentication (2FA) — requires users to provide at least two distinct forms of evidence to verify their identity before accessing a system. The three factor categories are:
- Something you know: a password or PIN
- Something you have: a phone, hardware token, or authenticator app
- Something you are: biometrics like a fingerprint or face scan
Requiring a second factor means that a stolen password alone is not sufficient to gain access — the attacker also needs the second factor, which is typically much harder to steal.
Types of MFA
| Method | Security Level | Usability | |--------|--------------|-----------| | SMS one-time codes | Low–Medium (SIM-swap risk) | High | | Authenticator app (TOTP) | Medium–High | Medium | | Push notification | Medium–High | High | | Hardware security key (FIDO2) | Very High | Medium | | Passkeys | Very High | High |
FIDO2 hardware keys and passkeys are the most phishing-resistant forms of MFA and are recommended for high-privilege accounts.
Why MFA Is Non-Negotiable
Credential theft — through phishing, data breaches, or password reuse — is the most common initial access method in attacks on SMBs. MFA blocks the majority of these attacks. Microsoft reports that MFA prevents over 99.9% of account compromise attacks.
Rolling Out MFA Across Your Team
- Start with admin and privileged accounts
- Enforce MFA for email, SSO, and cloud platforms next
- Use authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) over SMS
- For high-risk roles, consider hardware keys (YubiKey, Google Titan)
- Disable legacy authentication protocols that bypass MFA (SMTP AUTH, basic auth)
Even imperfect MFA — like SMS codes — is significantly better than no MFA.