GLOSSARY · Identity & MFA
Multi-Factor Authentication MFA
Login requirement that combines something you know (password) with something you have (phone, hardware key) or are (biometric). Single most effective control for stopping credential-stuffing and phishing attacks.
Detailed definition
Multi-Factor Authentication stops credential theft from automatically becoming account takeover. The premise is simple: a password alone can be phished, guessed, or leaked, but combining it with a second factor that an attacker can’t easily replay raises the bar from “trivial” to “expensive enough to skip and find an easier target”.
The factor categories
The “multi-factor” framing comes from three categories — a real MFA implementation combines two from different categories, not two of the same.
- Something you know — a password, a PIN, an answer to a question
- Something you have — your phone receiving a push notification, a hardware security key, a TOTP authenticator app
- Something you are — fingerprint, face, voice
The methods, ranked by strength
| Method | Strength | Tradeoff |
|---|---|---|
| SMS one-time code | Weak | Vulnerable to SIM swapping; better than nothing |
| TOTP app (Google Authenticator, Authy) | Medium | Codes can be phished if user pastes them into a fake page |
| Push notification (Duo, Microsoft Authenticator) | Medium-Strong | Vulnerable to “MFA fatigue” — attacker spams pushes hoping user approves |
| Phish-resistant push (number matching, biometric) | Strong | What we deploy by default; the user must verify a number, not just tap “approve” |
| Hardware security key (YubiKey) / Passkeys | Strongest | Phish-resistant cryptography. The future of authentication. |
Why we push MFA on everything
The single biggest leverage point in SMB security is this: enable MFA on every administrative account, every email account, every cloud account, every VPN, every remote access path. The data is overwhelming — Microsoft’s own analysis shows MFA blocks 99%+ of account compromise attacks at the credential layer.
We deploy MFA universally through Duo, configured with phish-resistant methods and tight device-trust policies. See the Duo MFA service page for the deployment pattern.
HOW WE HELP
Related Bytes Unlimited services
AUTHORITATIVE SOURCES
External references
Need help applying MFA to your business?
We've done this kind of work across New York. First conversation is free.