Multi-factor authentication (MFA) is one of the simplest and most effective ways to protect your business.

But it’s also one of the most misunderstood.

Most people know they “should have it,” but don’t fully understand what it does—or why it matters.

What Is MFA?

MFA stands for multi-factor authentication.

It means you need more than just a password to log in.

Instead of only entering a password, you also need something else, such as:

  • A code from an authenticator app (TOTP)
  • A push notification on your phone
  • A text message with a verification code
  • A physical security key (yubikey or smartcard)
  • A fingerprint
  • A faceID scan
  • A retinal scan

In simple terms:

MFA = something you know (your password) + something you have (your phone or device) or something you ARE (biometric data like a fingerprint, faceID, retinal scan)

Any combination of two or more different factor types is considered MFA.

Why Passwords Alone Aren’t Enough

Passwords are often:

  • reused across multiple sites
  • easy to guess
  • exposed in data breaches

Once a password is compromised, an attacker can often log in without triggering any alarms.

From there, they can:

  • access email
  • reset other passwords
  • impersonate users
  • launch further attacks

How MFA Protects You

MFA adds a second layer of protection.

Even if an attacker has your password, they still need access to your second factor (usually your phone).

That makes it much harder to break in.

MFA stops a large percentage of common attacks.

Common MFA Methods

Not all MFA is the same.

  • Apps like Microsoft Authenticator or Google Authenticator
  • Generate time-based codes
  • More secure than text messages

Push Notifications

  • Approve or deny a login attempt on your phone
  • Convenient and widely used

Be aware of “MFA fatigue” attacks, where users receive repeated push requests until they accidentally approve one.

Text Messages (SMS)

  • Sends a code via text
  • Better than nothing, but less secure than apps
  • Deprecated officially by NIST in 2016, this is better than single-factor authentication, but should be a last resort.

Hardware Keys

  • Physical devices (like a USB key)
  • Very secure, but less common in SMBs

Biometric Data

  • FaceID (face scan like on an iPhone)
  • Fingerprint (common in datacenters, mobile devices, etc)
  • Retinal scan (rare outside of high-security environments)

Where MFA Matters Most

If you do nothing else, enable MFA on:

  • Email (Microsoft 365 / Google Workspace)
  • Remote access (VPN, remote desktop)
  • Admin accounts
  • Financial systems

Email is especially critical.

If someone gets into your email, they can often access everything else.

The Biggest Mistakes with MFA

Even when MFA is enabled, there are common gaps:

  • Not enforcing MFA for all users
  • Allowing exceptions or bypasses
  • Using weak methods (SMS only)
  • Not protecting admin accounts
  • Using two of the same factor and calling it MFA (for example, password + security questions)

MFA only works if it’s applied consistently.

The Real Takeaway

MFA is not complicated.

It’s one of the easiest ways to reduce risk across your business.

But it has to be:

  • enabled everywhere it matters
  • configured properly
  • and enforced consistently

Not sure where to start?

Read the Quick Start Guide

Need Help Getting It Right?

Most businesses think they have MFA “enabled”—but haven’t validated where it actually applies.

If you’re not sure whether MFA is fully protecting your business—or where gaps might exist—it’s worth taking a closer look.

Get a cybersecurity review