MFA stands for multi-factor authentication.
Let’s start with authentication. It is about proving who you are. In face-to-face situations you might present photo ID to prove who you are – a “relying authority” wants to see a passport or driving licence (for example) that is produced by some trustworthy “authentication provider” (like a government).
When it comes to a digital situation a different approach must be taken. Many systems still only require a username and password (single factor) – but this is vulnerable to many kinds of attack. By adding another factor (two factor), security can be greatly enhanced; the second factor is usually “something you have” (like a phone), or something you are (like a biometric check) – in addition to something you know (password or PIN). Multi-factor simply refers to more than one factor (so it encompasses two factor).
Many users of Microsoft’s cloud services will by now have experienced MFA, if not elsewhere. There are many different approaches, but a typical experience is that after providing a password or PIN, a user receives a code on their phone or via email which must then be entered as part of the authentication process. The idea is that the second factor, proves you have the phone, but also to use a secondary channel of communication, further enhancing the security of the transaction.
In Azure Active Directory (which authenticates users of Microsoft cloud services), MFA is built-in, and delivers strong authentication with a range of easy verification options – phone call, text message, or mobile app notification – allowing users to choose the method they prefer. Microsoft has announced that MFA will be implemented for free and by default in all new tenants.
MFA can be implemented for sign-in by all users, or just those users who can access more sensitive data:
It can also be used in a “step-up” manner (for example when accessing specific applications that require greater security, another factor could be required).
It should be stated that there is a strong movement towards NOT relying on just username and password for any user.