What is MFA?

MFA stands for multi-factor authentication. 

Let’s start with authentication. It is about proving who you are. In face-to-face situations you might present a photo ID to prove who you are – a “relying authority” wants to see a passport or a driving licence (for example) that is produced by some trustworthy “authentication provider” (like a government).

When it comes to a digital situation a different approach must be taken. Many systems still only require a username and password (single factor) – but this is vulnerable to many kinds of attack. By adding another factor (two-factor), security can be greatly enhanced; the second factor is usually “something you have” (like a phone) or something you are (like a biometric check) – in addition to something you know (password or PIN). Multi-factor simply refers to more than one factor (so it encompasses two factors).

Many users of Microsoft’s cloud services will have experienced MFA, if not elsewhere. There are many different approaches, but a typical experience is that after providing a password or PIN, a user receives a code on their phone or via email which must then be entered as part of the authentication process. The idea is that the second factor proves you have the phone, but also use a secondary channel of communication, further enhancing the security of the transaction.

MFA is built-in to Microsoft Entra ID (which authenticates users of Microsoft cloud services) and delivers strong authentication with a range of easy verification options – phone calls, text messages, or mobile app notifications – allowing users to choose the method they prefer. Microsoft provides MFA free and by default in all new tenants. 

MFA can be implemented for sign-in by all users, or just those users who can access more sensitive data:

What is MFA - general sign in

It can also be used in a “step-up” manner (for example when accessing specific applications that require greater security, another factor could be required).

What is MFA - greater security

It should be stated that there is a strong movement towards NOT relying on just a username and password for any user.