What Is Multi-Factor Authentication (MFA)?
Multi-factor authentication requires users to verify their identity with two or more factors before accessing a system. It is the single most effective security control a business can implement, blocking over 99% of automated account compromise attacks.
Direct Answer
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more verification factors to access an account or system. The factors are: something you know (password), something you have (phone, security key), and something you are (fingerprint, face). MFA prevents attackers from accessing accounts even if they have stolen the password. It is now a minimum requirement for cyber insurance, Cyber Essentials certification, and most compliance frameworks.
MFA Methods Explained
Different MFA methods offer different levels of security and usability.
Authenticator App
Apps like Microsoft Authenticator generate time-based codes. More secure than SMS and works offline. Recommended for most businesses.
SMS Codes
A one-time code sent via text message. Better than no MFA, but vulnerable to SIM-swapping attacks. Use as a fallback, not primary method.
Hardware Security Keys
Physical devices (FIDO2/WebAuthn) that plug into USB or use NFC. The most secure MFA method — phishing-resistant and tamper-proof.
Biometric
Fingerprint or facial recognition on devices. Convenient and secure when combined with device-based authentication.
MFA Methods Compared
Security and usability trade-offs across common MFA methods.
| Feature | SMSBasic | Auth AppRecommendedRecommended | Security KeyHighest security |
|---|---|---|---|
| Phishing resistant | Partial | ||
| Works offline | |||
| SIM-swap resistant | |||
| User convenience | High | High | Medium |
| Cost per user | Free | Free | £20–£50 |
| Meets Cyber Essentials |
Frequently Asked Questions
Sophisticated attacks such as adversary-in-the-middle (AitM) phishing and MFA fatigue (repeatedly sending push notifications until a user approves) can bypass certain MFA methods. SMS-based MFA is vulnerable to SIM swapping. Hardware security keys and number-matching push notifications are the most resistant to bypass. With 85% of businesses that experienced a breach identifying phishing as the vector (DSIT 2025), combining phishing-resistant MFA with email security provides the strongest defence.
Prioritise administrator accounts, email accounts, remote access (VPN and RDP), financial systems, and cloud service dashboards. These are the accounts attackers target first because they provide the broadest access. With 22% of breaches involving compromised credentials (Verizon DBIR 2025), securing high-privilege accounts with MFA immediately reduces your organisation's most exploitable attack surface.
Insurers mandate MFA because it eliminates the majority of credential-based attacks, which are among the most common and costly claim triggers. Policies increasingly specify that MFA must be active on email, VPN, and cloud services as a coverage condition. The average cost of the most disruptive breach is £3,550 (DSIT 2025), and insurers have found that MFA-enabled organisations generate significantly fewer and less severe claims.
Deploy MFA Across Your Business
AMVIA can deploy and manage MFA across your organisation — Microsoft 365, VPN, cloud apps, and more.
Protect your business → Get Cybersecurity Assessment