What Is Multi-Factor Authentication (MFA) and Why Does My Business Need It?
Multi-factor authentication (MFA) is a security control that requires two or more proofs of identity before granting access: something you know (a password), something you have (a phone or hardware key), or something you are (a fingerprint).
Quick answer
Multi-factor authentication (MFA) is a security control that requires two or more proofs of identity before granting access: something you know (a password), something you have (a phone or hardware key), or something you are (a fingerprint). It blocks the overwhelming majority of account-takeover attacks, and it is the single highest-impact security step a UK business can take.
Key Points
What you need to know.
The Short Answer
A concise overview of what you need to know.
For UK Businesses
How this applies specifically in the UK context.
Cost Considerations
What to expect in terms of investment and ongoing costs.
Next Steps
What you should do with this information.
Quick Comparison
| Feature | Option A | Option B |
|---|
If you only ever fix one thing about your Microsoft 365 security, make it this. A stolen password on its own becomes useless once a second factor stands between the attacker and your inbox, your files, and your finance system.
What is multi-factor authentication, in plain terms?
MFA means proving who you are in more than one way. A password alone is a single factor: anyone who knows it is "you" as far as the system is concerned. MFA adds a second, independent check that a remote attacker cannot easily steal or guess.
The three recognised factor categories are:
- Something you know — a password, PIN, or passphrase.
- Something you have — a phone running an authenticator app, a one-time code, or a hardware security key.
- Something you are — a biometric such as a fingerprint or face scan.
Genuine MFA combines factors from at least two different categories. Two passwords are not MFA. A password plus a number from an authenticator app is.
How does MFA actually work?
When you sign in, you enter your password as usual. The service then asks for a second proof: it pushes a prompt to your authenticator app, asks for a six-digit code, or requests a tap on a hardware key. Only when both checks pass do you get in.
The point is independence. Even if an attacker has phished or brute-forced your password, they still cannot satisfy the second factor sitting on a device in your pocket. Microsoft's own guidance is blunt: enabling MFA is the most effective action most organisations can take to protect accounts (Microsoft Security).
Modern MFA also gets smarter with context. Tools like Microsoft Entra ID conditional access can decide *when* to ask for a second factor — for example, only when a sign-in comes from an unfamiliar device, an unusual country, or a risky network.
Why does every UK business need MFA?
Account compromise is the entry point for most modern breaches: phishing leads to a stolen password, the password enables the mailbox, and the mailbox is used to invoice your customers or move your money. MFA breaks that chain at the first step, which is why insurers, frameworks, and regulators now treat it as a baseline rather than a nice-to-have.
The numbers make the case:
- MFA blocks over 99.9% of account-compromise attacks, according to Microsoft research — yet adoption across UK businesses remains low.
- Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025), leaving the majority reliant on passwords alone.
Passwords leak constantly through breaches, reuse, and phishing. MFA is the control that makes a leaked password a non-event instead of a disaster. For the wider picture on protecting cloud accounts, see our managed cybersecurity approach.
Which MFA methods are the most secure?
Not all second factors are equal. Hardware security keys are phishing-resistant and effectively impossible to intercept remotely. Authenticator apps are strong and practical for most teams. SMS text codes are better than nothing but vulnerable to SIM-swap and interception, so they should be a fallback, not your default.
| MFA method | Security level | Phishing-resistant? | Best for |
|---|---|---|---|
| Hardware key (FIDO2 / WebAuthn) | Highest | Yes | Admins, finance, high-risk roles |
| Authenticator app (push / TOTP) | Strong | Partial | Most staff, day-to-day sign-ins |
| One-time code via email | Moderate | No | Low-risk fallback only |
| SMS text code | Weakest | No | Last-resort fallback |
Our practitioner recommendation: authenticator apps as the standard for everyone, hardware keys for administrators and anyone touching payments. Reserve SMS for break-glass scenarios. This pairs naturally with strong phishing protection, because phishing is exactly the attack MFA is meant to neutralise.
Is MFA required for Cyber Essentials and cyber insurance?
Yes. MFA is a requirement of the UK government-backed Cyber Essentials scheme for cloud services and administrative accounts (Cyber Essentials, gov.uk). The NCSC also names multi-factor authentication as a core control for protecting accounts (NCSC).
Cyber insurers have followed suit. Most UK policies now ask whether MFA is enforced on email and remote access, and many will refuse cover or decline a claim if it was not. AMVIA holds Cyber Essentials Plus, so we configure MFA to meet that bar as a matter of routine rather than as an afterthought.
How do you roll out MFA without disrupting staff?
Start with the accounts attackers want most. A phased rollout — administrators first, then finance and email, then everyone — lets you prove the process works before it touches the whole business. Clear comms and a short enrolment window prevent the help-desk pile-up that gives MFA a bad name.
Business email compromise is the threat this defends against most directly; overall IC3-reported cybercrime losses increased 33% from 2023 (FBI IC3 2024 report), and email is almost always the first account targeted. Practical rollout steps:
- Enrol every admin account in MFA before anything else.
- Use conditional access so prompts appear on risky sign-ins, not every login from a trusted office device.
- Enforce, rather than merely offer, MFA — optional MFA protects no one.
- Provide a hardware-key or app-based fallback so a lost phone never locks anyone out.
If you want this configured properly across your tenant, our Microsoft 365 MFA setup guide walks through the AMVIA approach. One provider, security-first, Microsoft-certified — so the rollout is planned, enforced, and supported rather than left half-finished.
Frequently Asked Questions
MFA stands for multi-factor authentication. It means verifying your identity with two or more independent factors — typically a password plus a code or prompt from a device you own — before you are allowed to sign in. It is sometimes called two-factor authentication (2FA) when exactly two factors are used.
Almost. Two-factor authentication uses exactly two factors, while multi-factor authentication means two or more. In everyday business use the terms are used interchangeably. The important point is that the factors come from different categories — something you know plus something you have — not two of the same type.
MFA can be targeted through phishing kits, prompt-bombing, or SIM-swap on SMS codes, but it dramatically raises the difficulty for attackers compared with passwords alone. Phishing-resistant methods such as FIDO2 hardware keys and number-matching in authenticator apps close most of these gaps, which is why we recommend them for high-risk accounts.
No. Multi-factor authentication is included with all Microsoft 365 business and enterprise plans at no additional licence cost. The investment is in configuration and rollout, not licensing. Conditional access policies for risk-based prompts require Microsoft Entra ID P1, which is included in Microsoft 365 Business Premium.
Start with administrator accounts, then finance, then any account with access to email or remote systems. Admin accounts hold the keys to your whole tenant, and email accounts are the usual launchpad for fraud. Once those are covered, extend MFA to every user so no account is left as an easy target.
MFA is the highest-impact single control, but it is not a complete security programme. Pair it with strong passwords, endpoint protection, email filtering, and staff awareness. MFA stops stolen-password attacks; layered defences handle the threats it does not, which is the model we build for clients.
Related Questions
Microsoft 365 Security
MFA is enforced via Conditional Access in Microsoft 365 — AMVIA configures and manages this as part of the managed M365 service.
Cybersecurity Guide for UK SMEs
MFA is the single most impactful security control — learn how it fits within a broader programme.