Multi-factor authentication (MFA) requires a user to provide two or more forms of verification to sign in to an account, rather than a password alone. Typically this combines something the user knows, a password, with something the user has, such as a code generated by a mobile app or a physical security key. Because a stolen or guessed password alone is no longer enough to access an account, MFA is one of the most effective controls a business can put in place against account compromise.
How multi-factor authentication works
After entering a password, a user is prompted for a second factor, commonly a push notification approved through the Microsoft Authenticator app, a time-based code, or a hardware security key. Within Microsoft Entra ID, MFA can be enforced for all sign-ins or applied selectively through Conditional Access policies, such as only requiring the extra step when signing in from an unrecognised location or device.
Multi-factor authentication in practice
- A business enforces MFA for all staff accessing Microsoft 365, blocking the vast majority of attempted account takeovers from stolen or leaked passwords.
- An IT team uses Conditional Access to require MFA only when a sign-in attempt comes from outside the office network, reducing friction for staff working from a trusted location.
- A company moves staff from SMS-based MFA codes to the Microsoft Authenticator app, improving security against SIM-swapping attacks that can intercept text messages.
- A finance team requires MFA specifically for access to sensitive financial systems, even where general email access uses a lighter-touch policy.
How Advantage implements multi-factor authentication
Advantage enforces MFA as a baseline control across every Microsoft 365 and cyber security engagement, configuring it through Microsoft Entra ID and Conditional Access to balance strong protection with a smooth sign-in experience for staff.
Frequently asked questions
What is the most common form of multi-factor authentication?
The most common approach combines a password with a code or approval prompt sent to a mobile app, such as the Microsoft Authenticator app. Other methods include SMS text codes, hardware security keys and biometric verification such as a fingerprint, though app-based authentication is generally considered more secure than SMS.
Why is multi-factor authentication considered so important for cyber security?
Most account compromises happen because a password has been stolen, guessed or reused from another breached service. Multi-factor authentication means a stolen password alone is not enough to access an account, since the attacker would also need the second factor, dramatically reducing the success rate of password-based attacks.
Can multi-factor authentication be bypassed by attackers?
No security control is completely unbypassable, and techniques such as MFA fatigue attacks or sophisticated phishing do exist. However, multi-factor authentication still blocks the vast majority of automated and opportunistic attacks, and is widely regarded as one of the single most effective security controls a business can implement.
