HomeResourcesGlossaryMFA
Cybersecurity Glossary

What is MFA (Multi-Factor Authentication)?

Multi-factor authentication (MFA) is a security method that requires users to verify their identity using two or more independent credentials — typically something they know (a password), something they have (a phone or security key), and something they are (a fingerprint or face scan).

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How MFA works

Three quick steps every time a user signs in from a new device or risky context.

1

Identify

The user enters a username and password. This is the first factor — something they know.

2

Prompt

The system prompts for a second factor: a code from an authenticator app, a push notification, or a tap on a hardware key.

3

Verify

If the second factor is valid, the user is authenticated. If it is missing or wrong, access is denied, even if the password was correct.

Types of MFA

The four common types of MFA

Not all MFA is equal. Here is how the common methods compare from weakest to strongest.

Weakest

SMS / text codes

A one-time code sent by text message. Better than nothing, but vulnerable to SIM-swap attacks and phishing proxies. Avoid for admins.

Most common

Authenticator apps (TOTP)

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Push notifications

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Hardware security keys

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why SMBs need MFA

Passwords alone are no longer enough. Credential theft is now the most common way attackers get in.

81%
of hacking-related breaches involve weak or stolen passwords
Verizon DBIR 2024
99%
of automated account-takeover attacks are blocked by MFA
Microsoft Security Research
Required
by most cyber insurance carriers and SOC 2, HIPAA, PCI DSS frameworks
Pitfalls

Common MFA mistakes

  • Enforcing MFA only on some accountsAttackers will find the exempt users. Apply MFA to everyone, including service accounts where possible.
  • Using SMS for privileged accountsAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • No recovery plan for lost devicesWhen someone loses their phone, an undocumented reset process becomes a social-engineering target. Document it before you enforce MFA.
  • Ignoring MFA fatigue attacksAttackers spam push notifications hoping the user taps "approve" out of frustration. Always enable number matching and additional context.
Common Questions

MFA frequently asked questions

SMS-based MFA is better than no MFA, but it is the weakest form. SMS can be intercepted through SIM-swap attacks and phishing proxies. Use an authenticator app or a hardware security key whenever possible, especially for administrators and finance staff.
Phishing-resistant MFA uses methods that cannot be intercepted by a man-in-the-middle attack. The two common forms are FIDO2 hardware security keys (like YubiKey) and passkeys. These methods cryptographically bind authentication to the real website, so a fake login page cannot replay the credentials.
Start with administrators and finance users, then expand to all staff. Pick one authenticator app as the standard, document the enrollment process, and run a short training session. Plan for recovery scenarios (lost phone, new device) before you enforce the policy.
MFA is either required or strongly recommended by HIPAA Security Rule guidance, SOC 2 common criteria, PCI DSS 4.0, and nearly every cyber insurance questionnaire. Most insurers will not issue a policy without MFA on email and remote access.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

Conditional Access

Policies that adapt to device, location, and risk signals.

Zero Trust

A security model that verifies every request as if it came from an open network.

Least Privilege

Give users only the access they need — nothing more.

Phishing-Resistant MFA

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Need help rolling out MFA?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day