The Plain English Version
Multi-factor authentication requires two or more ways to prove your identity when logging in. Instead of just a password, you also need something else - like a code from your phone, a fingerprint, or a hardware key.
Think of it like a bank vault that needs both a key and a combination. Even if someone steals your password, they cannot get in without the second factor.
The Three Factors
Something you know: Password, PIN, security question
Something you have: Phone, hardware token, smart card
Something you are: Fingerprint, face recognition, voice
True MFA uses factors from at least two different categories.
Why MFA Is Non-Negotiable
Passwords get stolen constantly - through phishing, data breaches, or weak choices. Microsoft reports that MFA blocks 99.9% of automated account attacks. It is the single most effective thing you can do to protect accounts.
Without MFA, a stolen password gives attackers full access. With MFA, they hit a wall.
Types of MFA
- Authenticator apps - Microsoft/Google Authenticator generate time-based codes. Free and effective.
- SMS codes - Better than nothing, but vulnerable to SIM swapping. Use app-based where possible.
- Hardware keys - Physical devices like YubiKey. Most secure option for high-value accounts.
- Push notifications - Approve login requests on your phone. Convenient but watch for MFA fatigue attacks.
- Biometrics - Fingerprint or face recognition. Often used as device unlock combined with another factor.
Where to Enable MFA First
Prioritise: email accounts (the master key to everything else), Microsoft 365 or Google Workspace, banking and financial services, any admin or privileged accounts, VPN and remote access, and password managers.
Cyber Essentials now requires MFA for cloud services and remote access.