If a single stolen password can let a stranger into your email, your files and your finances, then your business is one phishing email or one reused login away from a very bad day. That is the reality multi-factor authentication exists to fix. MFA is the simple idea that proving who you are should take more than one thing, so that a leaked password on its own is no longer a master key. This explainer covers what MFA actually is, why passwords stopped being enough, and which forms of it are genuinely worth turning on first.
What MFA means in one sentence
Multi-factor authentication means you prove your identity with two or more independent pieces of evidence instead of just one. The classic three categories are something you know (a password or PIN), something you have (a phone, an app or a hardware key), and something you are (a fingerprint or face). MFA asks for at least two of those, from different categories, so an attacker who steals one of them still cannot get in.
You already use MFA in daily life: a bank card plus a PIN is two factors. The whole point is independence. A password and a security question are both things you know, so a determined attacker can often discover both; a password plus a one-time code on a device you physically hold are independent, so stealing one does not hand over the other. That independence is what turns a single point of failure into two locks on the same door.
Why passwords stopped being enough
Passwords fail for reasons that have nothing to do with how clever yours is. People reuse the same one across many sites, so a breach anywhere becomes a breach everywhere. Billions of real username and password pairs already circulate from past breaches, and attackers simply try them in bulk against business logins, a tactic called credential stuffing. And phishing harvests passwords directly by tricking someone into typing them into a convincing fake page.
Against all three of those, a stronger password barely helps. A reused password is exposed no matter how long it is; a phished password is handed straight over; a breached password is already on a list. The uncomfortable conclusion is that the single password, however well chosen, is a model that attackers have comprehensively defeated. MFA does not make passwords stronger, it makes a stolen one far less useful, which is the part that actually matters.
- •Reused passwords mean one breach anywhere becomes a breach everywhere
- •Billions of leaked credentials are tried in bulk (credential stuffing)
- •Phishing harvests passwords directly from convincing fake pages
- •A longer password does not help against any of these - independence does
Not all MFA is created equal
MFA comes in several strengths, and the differences matter. SMS codes are the weakest common form: better than nothing, but vulnerable to SIM-swap fraud and interception. Authenticator apps that generate a rotating code are a solid step up and free to use. Push approvals, where you tap approve on your phone, are convenient but can be defeated by attackers who spam you with prompts until you tap one by mistake, so-called MFA fatigue.
The strongest mainstream option is a phishing-resistant method based on the FIDO2 standard: a hardware security key or a passkey tied to the genuine site. These cannot be tricked into approving a fake page because the method itself checks the website is real. For high-value accounts, administrators and finance, phishing-resistant MFA is the goal. For everyone else, an authenticator app is a huge improvement over passwords alone and a sensible default.
The accounts to protect first
You do not have to turn MFA on everywhere at once, and trying to often stalls the whole effort. Start where a breach hurts most. Email is almost always first, because whoever controls your email can reset the password on everything else. Then your administrator accounts, your finance and banking logins, your remote-access and VPN, and any cloud platform holding customer data. Those few accounts cover most of the real risk.
MFA on these is also increasingly expected rather than optional. It is a core control in schemes like Cyber Essentials and a common requirement for cyber insurance and for the supply chains of larger customers, which you can read about under Cyber Essentials. Turning it on is one of the highest-return security actions an SME can take: low cost, modest effort, and it neutralises the single most common way businesses get breached.
Where this is heading: passwordless
The longer-term direction is to remove the password from the equation entirely. Passkeys, built on the same FIDO2 standard as hardware keys, let you sign in with the fingerprint or face on a device you already trust, with no password to phish, reuse or breach. Major platforms now support them, and they are both more secure and, once set up, more convenient than typing a password plus a code.
For now, most businesses live in a sensible middle ground: passwords plus strong MFA, moving the most sensitive accounts to phishing-resistant methods and adopting passkeys where they fit. The destination is clear, though. The single password has had a long run and a comprehensive defeat, and authentication that combines factors, increasingly with no password at all, is simply how access works now.