Multifactor Authentication (MFA) | Microsoft Security (2024)

FAQs

What is an MFA security? ›

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password.

Using multi-factor authentication (MFA) is one of the best ways to help keep your online accounts secure. While MFA can be defeated (since no tool is 100% perfect), the extra step creates a roadblock that may make a cybercriminal more likely to move on to the next target.

With MFA enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO). There are multiple ways to enable MFA for your Microsoft Entra users based on the licenses that your organization owns.

MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.

Armed with your password, attackers may bomb you with push MFA authentication requests. The goal is to get you to accept the notification so they can gain access to the account. These attacks often result in a malware attack to control your data while the fraudster demands a ransom payment.

Most Secure: Hardware Keys

External hardware keys, like Yubikeys, are among the strongest authentication factors available. Also called FIDO keys, they generate a cryptographically secure MFA authentication code at the push of a button.

Hackers use various techniques to bypass MFA, including social engineering tactics, token theft, and machine-in-the-middle attacks. These methods exploit vulnerabilities in the MFA process, allowing hackers to gain unauthorized access to user accounts.

After compromising login credentials through SMS phishing, they continue with the authentication process from a machine they control and immediately request a multi-factor authentication (MFA) code. They then generate an endless string of MFA prompts until the user accepts one out of fatigue or frustration.

MFA that relies solely on a phone number is typically more vulnerable to attacks than MFA that is compatible with authentication apps offered by Microsoft, Google and others. Hackers are able to overtake someone's phone number using a tactic called SIM-swapping, which would give them access to a text-based login code.

Is MFA more secure than 2FA? ›

Multi-factor authentication (MFA) is more secure than two-factor authentication (2FA) These two terms are often used interchangeably, but they're not quite the same thing. 2FA requires exactly two authentication types to unlock something. MFA requires a minimum of three forms of authentication.

Technology such as MFA is, therefore, key in preventing phishing attacks. Yet, traditional MFA has been proven weak. Now, phishing-resistant MFA is entering the picture, with authentication techniques, such as Web Authentication (WebAuthn) and public key infrastructure (PKI)-based MFA, that can stop MFA bypass attacks.

Many MFA solutions add external dependencies to systems, which can introduce security vulnerabilities or single points of failure. Processes implemented to allow users to bypass or reset MFA may be exploitable by attackers. Requiring MFA may prevent some users from accessing the application.

Physical security key

A physical authentication key is one of the strongest ways to implement multifactor authentication. A private key, stored on a physical device, is used to authenticate a user, such as a USB device that a user plugs into their computer while logging in.

This small step can make a significant difference when it comes to protecting your online accounts. In addition to protecting against security weaknesses or compromised login information, enabling MFA also helps protect online accounts from phishing attempts.

MFA is significantly more secure than conventional password logins, but still susceptible to bypass. SSO is secure but is a single point of failure; if the IdP account is compromised, many others may also be. MFA adds a step beyond inputting a password but is still relatively seamless.

The program is often viewed as an opportunity to build your portfolio, network with professionals and peers, explore new techniques, and take advantage of mentorship and fellowship opportunities. The MFA may also help you qualify for more job opportunities and prepare you for multiple career paths.

Multi-factor authentication (or MFA) is the best way to safeguard an account, because once MFA is enabled, an attacker won't be able to access it—even if they have your username and password. A physical security key is the most secure MFA option, since it's a dedicated authentication device and resistant to phishing.

MFA vs 2FA. So, two-factor authentication (2FA) requires users to present two types of authentication, while MFA requires users to present at least two, if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA.