---
title: "What Is MFA? Multi-Factor Authentication | Bytes Unlimited"
description: "Multi-Factor Authentication (MFA) requires a second proof of identity beyond a password — the single most effective control against credential theft. Compare SMS, app, push, and passkey methods."
canonical: https://www.bytesunlimited.com/glossary/mfa/
---

 GLOSSARY · Identity & MFA 

#  Multi-Factor Authentication MFA 

 Login requirement that combines something you know (password) with something you have (phone, hardware key) or are (biometric). Single most effective control for stopping credential-stuffing and phishing attacks. 

## Detailed definition

**Multi-Factor Authentication** stops credential theft from automatically becoming account takeover. The premise is simple: a password alone can be phished, guessed, or leaked, but combining it with a second factor that an attacker can’t easily replay raises the bar from “trivial” to “expensive enough to skip and find an easier target”.

## The factor categories

The “multi-factor” framing comes from three categories — a real MFA implementation combines two from different categories, not two of the same.

1. **Something you know** — a password, a PIN, an answer to a question
2. **Something you have** — your phone receiving a push notification, a hardware security key, a TOTP authenticator app
3. **Something you are** — fingerprint, face, voice

## The methods, ranked by strength

| Method                                                            | Strength      | Tradeoff                                                                         |
| ----------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------- |
| SMS one-time code                                                 | Weak          | Vulnerable to SIM swapping; better than nothing                                  |
| TOTP app (Google Authenticator, Authy)                            | Medium        | Codes can be phished if user pastes them into a fake page                        |
| Push notification (Duo, Microsoft Authenticator)                  | Medium-Strong | Vulnerable to “MFA fatigue” — attacker spams pushes hoping user approves         |
| Phish-resistant push (number matching, biometric)                 | Strong        | What we deploy by default; the user must verify a number, not just tap “approve” |
| Hardware security key (YubiKey) / [Passkeys](/glossary/passkeys/) | Strongest     | Phish-resistant cryptography. The future of authentication.                      |

## Why we push MFA on everything

The single biggest leverage point in SMB security is this: **enable MFA on every administrative account, every email account, every cloud account, every VPN, every remote access path**. The data is overwhelming — Microsoft’s own analysis shows MFA blocks 99%+ of account compromise attacks at the credential layer.

We deploy MFA universally through Duo, configured with phish-resistant methods and tight device-trust policies. See the [Duo MFA service page](/services/duo-mfa/) for the deployment pattern.

HOW WE HELP

## Related Bytes Unlimited services

* [ Duo MFA Duo multi-factor authentication rollout — app and hardware token enrollment, policy tuning, and end-user training.](/services/duo-mfa/)
* [ Security & Compliance PCI DSS, HIPAA, and general security posture work. Endpoint protection, MFA, awareness training, audit-ready documentation.](/services/security/)

RELATED TERMS

## See also

* [ SSO ](/glossary/sso/)
* [ WebAuthn ](/glossary/passkeys/)
* [ ZTNA ](/glossary/ztna/)

AUTHORITATIVE SOURCES

## External references

* [ CISA — Multi-Factor Authentication Guidance  (opens in new tab) ](https://www.cisa.gov/topics/cybersecurity-best-practices/multi-factor-authentication)

##  Need help applying MFA to your business? 

 We've done this kind of work across New York. First conversation is free. 

[ Get In Touch ](/contact/) [ Back to Glossary ](/glossary/)

## Sitemap

- [Site map](https://www.bytesunlimited.com/sitemap.md)
- [llms.txt](https://www.bytesunlimited.com/llms.txt)
- [Canonical URL list](https://www.bytesunlimited.com/sitemap.xml)
