Skip to main content

GLOSSARY · Identity & MFA

Multi-Factor Authentication MFA

Login requirement that combines something you know (password) with something you have (phone, hardware key) or are (biometric). Single most effective control for stopping credential-stuffing and phishing attacks.

Detailed definition

Multi-Factor Authentication stops credential theft from automatically becoming account takeover. The premise is simple: a password alone can be phished, guessed, or leaked, but combining it with a second factor that an attacker can’t easily replay raises the bar from “trivial” to “expensive enough to skip and find an easier target”.

The factor categories

The “multi-factor” framing comes from three categories — a real MFA implementation combines two from different categories, not two of the same.

  1. Something you know — a password, a PIN, an answer to a question
  2. Something you have — your phone receiving a push notification, a hardware security key, a TOTP authenticator app
  3. Something you are — fingerprint, face, voice

The methods, ranked by strength

MethodStrengthTradeoff
SMS one-time codeWeakVulnerable to SIM swapping; better than nothing
TOTP app (Google Authenticator, Authy)MediumCodes can be phished if user pastes them into a fake page
Push notification (Duo, Microsoft Authenticator)Medium-StrongVulnerable to “MFA fatigue” — attacker spams pushes hoping user approves
Phish-resistant push (number matching, biometric)StrongWhat we deploy by default; the user must verify a number, not just tap “approve”
Hardware security key (YubiKey) / PasskeysStrongestPhish-resistant cryptography. The future of authentication.

Why we push MFA on everything

The single biggest leverage point in SMB security is this: enable MFA on every administrative account, every email account, every cloud account, every VPN, every remote access path. The data is overwhelming — Microsoft’s own analysis shows MFA blocks 99%+ of account compromise attacks at the credential layer.

We deploy MFA universally through Duo, configured with phish-resistant methods and tight device-trust policies. See the Duo MFA service page for the deployment pattern.

RELATED TERMS

Need help applying MFA to your business?

We've done this kind of work across New York. First conversation is free.