MFA

MFA — multi-factor authentication — requires more than just a password to sign in. The factors are usually described as something you know (a password), something you have (a phone, a hardware key), and something you are (a fingerprint or face). Requiring at least two means a stolen password alone isn't enough to get in.

MFA is the single highest-impact security control most organizations can turn on, and the baseline expectation for any account that matters. The vast majority of account compromises involve credentials that had no second factor.

Not all MFA is equal. Codes sent by SMS are better than nothing but can be intercepted or phished. App-based codes (TOTP) and push approvals are stronger. Phishing-resistant methods like passkeys and FIDO2 hardware keys are stronger still, because they can't be handed to a fake login page. The direction of travel across the industry is toward phishing-resistant authentication as the requirement rather than the upgrade.