Skip to main content
< All Topics
Print
Posted
Updated

Security Awareness

What is Multi-Factor Authentication?

How adding a second step to your login blocks nearly every automated attack — and why it’s the most important security upgrade you can make today.

The Basics

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security method that requires two or more pieces of evidence — or “factors” — to prove who you are before signing into an account. Instead of relying on a password alone, MFA adds a second checkpoint that an attacker can’t easily bypass.

The three categories of authentication factors are something you know (a password or PIN), something you have (a phone, app, or security key), and something you are (a fingerprint or face scan). Combining two factors from different categories makes your accounts dramatically harder to break into.

Why it matters

Microsoft has reported that MFA blocks over 99.9% of automated account takeover attacks. With billions of stolen credentials freely available on the dark web, a password alone is rarely enough. MFA is the single highest-impact security upgrade most small businesses can make — and it takes less than five minutes per account.

Types of MFA

Not all MFA is equally strong

Different MFA methods offer very different levels of protection. Here’s how the most common ones stack up:

SMS / Voice Codes

A code sent by text or call. Easy and widely supported — but vulnerable to SIM-swap attacks where criminals hijack your phone number.

Authenticator Apps

Apps like Microsoft Authenticator, Google Authenticator, or Duo generate a 6-digit code that changes every 30 seconds.

Push Notifications

Instead of typing a code, you approve or deny the sign-in from your phone. Fast and convenient, but watch for “MFA fatigue” attacks.

Security Keys & Passkeys

Hardware keys like YubiKey, or passkeys on your device. The strongest option — phishing-resistant by design.

Choose the strongest method available

If a service offers multiple MFA options, pick the strongest one you’ll actually use every day. Hardware keys and passkeys are the gold standard, authenticator apps are a solid default, and SMS should be a last resort — better than nothing, but the weakest of the common options.

How It Works

Approving a sign-in — annotated

Here’s what an MFA push notification looks like, and what to check before tapping Approve:

Microsoft Authenticator

2:14 PM

Approve sign-in?

Location

Lafayette, LA
Match
Device
MacBook Pro — Safari
Request time
2:14 PM CDT

Deny
Approve


Before approving, verify the location and device match where you really are — if anything looks off, tap Deny

Behind the scenes: after you enter your password, the service sends an approval request to your registered device. The sign-in only completes when you physically confirm the prompt on your phone. Even if an attacker has your password, they can’t get in without your phone in hand — and you get an immediate heads-up that someone is trying.

Watch out for MFA Fatigue

If you get MFA prompts you didn’t trigger — especially a rapid-fire flood of them — always tap Deny, then immediately change your password and report it to your IT team. Attackers use prompt-bombing to wear you down into approving by accident.

Why It Matters

What MFA protects against

Turning on MFA takes minutes and prevents most attacks before they start:

  • Blocks 99.9% of automated attacks — per Microsoft’s analysis of real-world account takeovers.

  • Neutralizes stolen passwords — even if your password leaks in a breach, attackers still can’t sign in without the second factor.

  • Early warning system — an unexpected MFA prompt means someone has your password and is trying to use it.

  • Required for cyber insurance — most modern policies won’t cover businesses that don’t enforce MFA.

  • Required for compliance — HIPAA, PCI-DSS, the FTC Safeguards Rule, and most security frameworks now mandate MFA.

  • Quick to set up — most services enable it in under five minutes per account.

  • Free on most platforms — Microsoft 365, Google Workspace, banks, and major SaaS apps include MFA at no extra cost.

  • Works everywhere you do — on your phone, laptop, tablet, and from any location.

The Bottom Line

MFA is the single highest-return security upgrade most small businesses can make. It turns a stolen password into a useless string of characters — and stops the majority of cyberattacks before they ever get started.

Getting Started

How to turn on MFA

1
Start with your critical accounts. Email first, then banking, payroll, your password manager, and any admin accounts. These are the accounts attackers want most.

2
Pick the strongest method the service supports. Use a hardware key or passkey if available, an authenticator app as your default, and only fall back to SMS when nothing else is offered.

3
Save your backup codes. When you enroll, you’ll typically get a set of recovery codes — store them in your password manager or a locked drawer. They’re your lifeline if you lose your phone.

4
Register a second method. Add a backup authenticator on a second device — like a tablet — so a lost or broken phone doesn’t lock you out of everything.

5
Enforce it across your team. Work with your IT provider to require MFA on every company account. Conditional access policies in Microsoft 365 or Google Workspace can make this seamless for your whole business.

Questions? Contact Megabyte IT Solutions
KB-SEC-006 · Security Awareness
Tags:
Table of Contents