+44 345 1255400
Authentication

Multi-Factor Authentication (MFA)

Also known as: 2FA, Two-Factor Authentication, Two-Step Verification, 2-step verification

Multi-Factor Authentication (MFA), also known as Two-Factor Authentication (2FA), means proving who you are using at least two different pieces of evidence before you’re granted access to an account. Typically that’s something you know (a password) plus something you have (a phone, a physical security key) or something you are (a fingerprint or face scan).

MFA is the single most effective defence a business can deploy against account takeover. Microsoft reports it blocks the vast majority of identity-based attacks.

The three factor types

  • Something you know, a password or PIN
  • Something you have, a phone with an authenticator app, a hardware key like a YubiKey, a smartcard
  • Something you are, a fingerprint, face scan, or voice pattern

Using any two of these categories counts as multi-factor. Using two passwords does not.

Why the old advice has shifted

For years the standard advice was “use SMS text codes”. That advice has changed. SMS is still better than nothing but is now considered weaker because SIM-swap attacks have become common. The current best practice hierarchy is:

  1. Hardware security keys (FIDO2, YubiKey), strongest, phish-proof
  2. Authenticator apps (Microsoft Authenticator, Google Authenticator, 1Password, Authy), strong, easy to deploy
  3. Push notifications with number matching, good, requires Microsoft 365 Premium or similar
  4. SMS codes, adequate but increasingly unreliable against sophisticated attackers

What businesses should do

  • Enable MFA on every admin account today, no exceptions
  • Roll MFA out to every user account across Microsoft 365, Google Workspace, banking, and any other SaaS that supports it
  • Move away from SMS where possible; prefer authenticator apps or hardware keys
  • Plan for lost-phone recovery, having every admin locked out because they lost their phone is a common avoidable disaster

How we help

Cyber Essentials now expects MFA on cloud services and admin accounts, which means it’s on the critical path for every business we help with certification. Our cyber security service and managed IT service both include MFA rollout and ongoing management as standard.