A security method requiring two or more independent verification factors — something you know (password), something you have (security key), or something you are (biometric) — to verify identity before granting access.
Multi-factor authentication adds layers of verification beyond the traditional username and password. Even if an attacker obtains a user's password through phishing, credential stuffing, or data breaches, they cannot access the account without the additional factor. MFA is considered the single most effective control for preventing credential-based attacks — Microsoft reports that MFA blocks over 99.9% of account compromise attempts. For ransomware defense, MFA is critical because compromised credentials are one of the top initial access vectors.
MFA methods vary significantly in security strength. SMS-based codes and authenticator app TOTP codes are better than no MFA but can be phished using adversary-in-the-middle (AiTM) attacks. Push notifications are vulnerable to MFA fatigue attacks (repeated prompts until the user approves). Phishing-resistant MFA — FIDO2 security keys (like YubiKeys) and passkeys — are cryptographically bound to the legitimate site domain and cannot be intercepted or replayed. For administrator accounts and high-value targets, phishing-resistant MFA should be mandatory.
Deploying MFA across your organization is one of the highest-impact security investments you can make. Prioritize: all remote access (VPN, ZTNA, cloud applications), all administrator accounts (domain admins, backup admins, cloud admins), email accounts (the gateway to credential resets and BEC), and any system that accesses sensitive data. MFA should be enforced through conditional access policies that also evaluate device health, location, and behavior — not just presented as an optional enrollment for users.