Most of us have set up an authenticator app at some point, usually for a work account. It feels like an extra step, but MFA is one of the most effective security controls available. It's worth using it for personal accounts too, not just work.
Passwords get compromised all the time through breaches, phishing and credential stuffing. Often the account owner has no idea until something goes wrong. Multi-Factor Authentication (MFA) ensures that a stolen password on its own is useless to an attacker.
99.9%
of automated account attacks blocked by MFA (Microsoft)
80%
of breaches involve compromised credentials
30s
is all it takes to set up an authenticator app on most accounts
What is MFA?
🔐 The Basics
Multi-Factor Authentication requires you to prove your identity using two or more independent factors before granting access. These factors fall into three categories:
🧠
Something you know
Knowledge
Password, PIN, security question
📱
Something you have
Possession
Authenticator app, hardware token, SMS code
👁️
Something you are
Inherence
Fingerprint, face ID, iris scan
MFA requires at least two of these factors from different categories. A password plus a PIN are both "something you know", that's not MFA. A password plus an authenticator app code is, one from knowledge, one from possession.
ℹ️
MFA vs 2FA
You'll often see 2FA (Two-Factor Authentication) and MFA used interchangeably. 2FA is technically a subset of MFA, it uses exactly two factors. MFA can use two or more. In practice, most consumer implementations are 2FA.
How MFA Works, Step by Step
⚙️ The Process
Enter your username and password
The first factor, something you know. Standard login credentials. If the password is correct, the system moves to the second step rather than granting access immediately.
Prompted for a second factor
The system requests a second form of verification. This could be a code from your authenticator app, a push notification sent to your phone, a hardware token, or a biometric scan, depending on what's configured.
Provide the second factor
You enter the code shown in your authenticator app, approve the push notification, or tap your hardware key. The system verifies this against what it expects, for TOTP codes, it checks the time-based value generated by your device.
Access granted, or denied
Both factors verified → access granted. Second factor wrong or missing → access denied, even if the password was correct. This is why MFA is so effective: a stolen password alone gets an attacker nothing.
Adaptive security checks (optional)
Some systems add intelligence on top, prompting for extra verification when a login comes from an unfamiliar device, unusual location, or outside business hours. Microsoft Entra ID's Conditional Access policies work this way.
MFA Methods, Compared
📊 All Methods
Not all MFA is equal. Here's every common method, how it works, and how secure it actually is:
💬
SMS or Email Codes
A one-time code sent to your phone or inbox
⚠ Low Security
A verification code is sent to your mobile number or email address each time you log in. You enter the code alongside your password to complete authentication. It's the most widely supported method and requires no additional app.
⚠️
Vulnerable to SIM swapping, attackers can convince your mobile carrier to transfer your number to a SIM they control, intercepting all future codes. Email codes are similarly risky if your email is compromised. Use a better method where possible.
📲
Authenticator Apps (TOTP)
Time-based one-time codes generated on your device
✓ High Security
Apps like Microsoft Authenticator, Google Authenticator, and Authy generate Time-based One-Time Passwords (TOTP) that refresh every 30 seconds. The code is generated entirely on your device, nothing is transmitted over the network, making it far more resistant to interception than SMS.
✅
Recommended for most users. Works offline, no SIM required, immune to SIM swapping. The code is only valid for 30 seconds so even if captured it's useless almost immediately.
Microsoft Authenticator
Google Authenticator
Authy
Bitwarden Authenticator
🔔
Push Notifications
Approve or deny login with a single tap
✓ High Security
When you attempt to log in, a push notification is sent to your registered smartphone. You approve the attempt with a single tap, or deny it if it wasn't you. It's the most user-friendly MFA method and requires no code entry. Microsoft Authenticator uses this for M365 accounts by default.
⚠️
MFA Fatigue attacks, attackers repeatedly trigger push notifications hoping the user approves one out of frustration. Microsoft Entra now requires number matching (you type a number shown on the login screen into the app) to counter this.
🔑
Hardware Tokens (Security Keys)
Physical device, YubiKey, FIDO2 keys
★ Highest Security
A physical security key, most commonly a YubiKey, plugs into a USB port or taps via NFC. Authentication is cryptographic and bound to the specific website, making it completely immune to phishing. Even if an attacker tricks you into entering credentials on a fake site, the hardware key won't authenticate to it.
✅
Best for high-value accounts (executives, admin accounts, financial systems). Phishing-resistant by design. Supported by Microsoft 365, Google, GitHub, and most major services via FIDO2/WebAuthn.
👆
Biometrics
Fingerprint, Face ID, iris scan
✓ High Security
Biometric authentication uses your unique physical characteristics, fingerprint, facial geometry, or iris pattern, to verify your identity. On modern devices this is handled entirely on-device (Windows Hello, Apple Face ID, Android fingerprint) meaning your biometric data is never transmitted or stored on a remote server.
✅
Convenient and fast. On Windows, Windows Hello provides biometric login to Microsoft 365 and other accounts without ever transmitting biometric data off-device.
📈
Behavioural Biometrics
Typing patterns, mouse movements, device habits
~ Supplementary
Rather than an active verification step, behavioural biometrics continuously analyse patterns in how you interact with a device, typing rhythm, mouse movement speed, how you hold your phone. Anomalies trigger additional verification. It's typically used as a supplementary layer in enterprise security platforms rather than as a standalone MFA method.
Where to Enable MFA First
✅ Priority Order
If you're enabling MFA across your accounts for the first time, start with the highest-impact accounts:
1
Email account, your email resets every other password. It's the master key. Protect it first.
2
Microsoft 365 / work accounts, access to business data, email, Teams, SharePoint. High value target for attackers.
3
Password manager, if an attacker gets in here, they get everything. Non-negotiable.
4
Banking and financial accounts, direct financial risk. Enable MFA on every bank account and payment app.
5
Social media, account takeovers are used for fraud, reputation attacks, and further social engineering.
6
Everything else, any account with personal data, payment details, or that could be used to compromise another account.
✅
Microsoft 365, enable MFA for all users
In Microsoft Entra ID (formerly Azure AD), go to Security → Authentication methods to configure MFA policies for your tenant. Use Conditional Access to enforce MFA based on risk level, location, or device compliance, rather than a blanket always-prompt approach that leads to MFA fatigue.
⚠️
Save your backup codes
When you set up MFA, most services provide one-time backup codes. Save these somewhere secure, ideally printed or stored in your password manager. If you lose access to your authenticator app (phone lost, stolen, or broken), backup codes are your only way back into your account.