AEO Answer

What Is Multi-Factor Authentication (MFA) and Why Does My Business Need It?

Multi-factor authentication (MFA) is a security control that requires two or more proofs of identity before granting access: something you know (a password), something you have (a phone or hardware key), or something you are (a fingerprint).

Quick answer

Multi-factor authentication (MFA) is a security control that requires two or more proofs of identity before granting access: something you know (a password), something you have (a phone or hardware key), or something you are (a fingerprint). It blocks the overwhelming majority of account-takeover attacks, and it is the single highest-impact security step a UK business can take.

Key Points

What you need to know.

The Short Answer

A concise overview of what you need to know.

For UK Businesses

How this applies specifically in the UK context.

Cost Considerations

What to expect in terms of investment and ongoing costs.

Next Steps

What you should do with this information.

Quick Comparison

Feature
Option A
Option B

If you only ever fix one thing about your Microsoft 365 security, make it this. A stolen password on its own becomes useless once a second factor stands between the attacker and your inbox, your files, and your finance system.

What is multi-factor authentication, in plain terms?

MFA means proving who you are in more than one way. A password alone is a single factor: anyone who knows it is "you" as far as the system is concerned. MFA adds a second, independent check that a remote attacker cannot easily steal or guess.

The three recognised factor categories are:

  • Something you know — a password, PIN, or passphrase.
  • Something you have — a phone running an authenticator app, a one-time code, or a hardware security key.
  • Something you are — a biometric such as a fingerprint or face scan.

Genuine MFA combines factors from at least two different categories. Two passwords are not MFA. A password plus a number from an authenticator app is.

How does MFA actually work?

When you sign in, you enter your password as usual. The service then asks for a second proof: it pushes a prompt to your authenticator app, asks for a six-digit code, or requests a tap on a hardware key. Only when both checks pass do you get in.

The point is independence. Even if an attacker has phished or brute-forced your password, they still cannot satisfy the second factor sitting on a device in your pocket. Microsoft's own guidance is blunt: enabling MFA is the most effective action most organisations can take to protect accounts (Microsoft Security).

Modern MFA also gets smarter with context. Tools like Microsoft Entra ID conditional access can decide *when* to ask for a second factor — for example, only when a sign-in comes from an unfamiliar device, an unusual country, or a risky network.

Why does every UK business need MFA?

Account compromise is the entry point for most modern breaches: phishing leads to a stolen password, the password enables the mailbox, and the mailbox is used to invoice your customers or move your money. MFA breaks that chain at the first step, which is why insurers, frameworks, and regulators now treat it as a baseline rather than a nice-to-have.

The numbers make the case:

  • MFA blocks over 99.9% of account-compromise attacks, according to Microsoft research — yet adoption across UK businesses remains low.
  • Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025), leaving the majority reliant on passwords alone.

Passwords leak constantly through breaches, reuse, and phishing. MFA is the control that makes a leaked password a non-event instead of a disaster. For the wider picture on protecting cloud accounts, see our managed cybersecurity approach.

Which MFA methods are the most secure?

Not all second factors are equal. Hardware security keys are phishing-resistant and effectively impossible to intercept remotely. Authenticator apps are strong and practical for most teams. SMS text codes are better than nothing but vulnerable to SIM-swap and interception, so they should be a fallback, not your default.

MFA methodSecurity levelPhishing-resistant?Best for
Hardware key (FIDO2 / WebAuthn)HighestYesAdmins, finance, high-risk roles
Authenticator app (push / TOTP)StrongPartialMost staff, day-to-day sign-ins
One-time code via emailModerateNoLow-risk fallback only
SMS text codeWeakestNoLast-resort fallback

Our practitioner recommendation: authenticator apps as the standard for everyone, hardware keys for administrators and anyone touching payments. Reserve SMS for break-glass scenarios. This pairs naturally with strong phishing protection, because phishing is exactly the attack MFA is meant to neutralise.

Is MFA required for Cyber Essentials and cyber insurance?

Yes. MFA is a requirement of the UK government-backed Cyber Essentials scheme for cloud services and administrative accounts (Cyber Essentials, gov.uk). The NCSC also names multi-factor authentication as a core control for protecting accounts (NCSC).

Cyber insurers have followed suit. Most UK policies now ask whether MFA is enforced on email and remote access, and many will refuse cover or decline a claim if it was not. AMVIA holds Cyber Essentials Plus, so we configure MFA to meet that bar as a matter of routine rather than as an afterthought.

How do you roll out MFA without disrupting staff?

Start with the accounts attackers want most. A phased rollout — administrators first, then finance and email, then everyone — lets you prove the process works before it touches the whole business. Clear comms and a short enrolment window prevent the help-desk pile-up that gives MFA a bad name.

Business email compromise is the threat this defends against most directly; overall IC3-reported cybercrime losses increased 33% from 2023 (FBI IC3 2024 report), and email is almost always the first account targeted. Practical rollout steps:

  • Enrol every admin account in MFA before anything else.
  • Use conditional access so prompts appear on risky sign-ins, not every login from a trusted office device.
  • Enforce, rather than merely offer, MFA — optional MFA protects no one.
  • Provide a hardware-key or app-based fallback so a lost phone never locks anyone out.

If you want this configured properly across your tenant, our Microsoft 365 MFA setup guide walks through the AMVIA approach. One provider, security-first, Microsoft-certified — so the rollout is planned, enforced, and supported rather than left half-finished.

Frequently Asked Questions

Need More Detail?

Speak to an AMVIA expert for advice tailored to your business.