Download PDF
An online account that is protected with just a password is vulnerable to a breach. This is because if that password is stolen, guessed or brute forced, someone unauthorised could access the account from anywhere in the world. Make your accounts more secure - add another step of verification. Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use multi-factor authentication. What is 2FA, 2SV and MFA? Two-factor authentication, or 2FA as it’s commonly abbreviated to, or 2SV ( two-step verification ) is the same thing. It adds an extra step to your basic log-in procedure for one of your online accounts. Without 2FA, you enter in your username and password, and then you’re done. The password is your single factor of authentication. The second factor or step makes your account more secure. Multi-factor authentication (MFA) is any number of factors more than one. The three types are: Something you know, such as a personal identification number (PIN), password or a security question (what is the name of your first pet?) Something you have, such as an ATM card, phone, or security token (a small security device with built-in authentication) Something you are, such as a fingerprint, retinal pattern, or voice print. These factors are called biometrics. Why is MFA important? Stealing personal information such as usernames and passwords, bank account details and credit card numbers is incredibly profitable for criminals. They can send fraudulent emails from your account, make fraudulent purchases from your credit card, use your identity to take out loans and open new accounts and go on to launch other attacks against you. The master plan for many cyber criminals is to discover as many passwords as they can in the shortest amount of time and then use computers to try matching passwords and user names on as many accounts as they can at the same time. According to Breach Alarm, 1 million passwords are stolen every week. Passwords have been the mainstream form of authentication since the earliest days of computing, however, if we consider that 90% of passwords can be cracked in less than six hours and two-thirds of people still use the same password everywhere, they are not as secure as they need to be. The vulnerability of passwords is the main reason for requiring and using MFA. Implementing multi-factor authentication will prevent hackers from gaining access to your accounts even if your password is guessed or stolen. The extra layer of protection that MFA offers ensures your account is more secure and drastically reduces the chances of fraud, data loss or identity theft. Organisations are increasingly using cloud services as a way to remotely share access to their company files, with employees accessing data remotely, sometimes from their own devices. There has been an increasing number of attacks on cloud services, using techniques to steal user’s passwords to access their accounts. Microsoft reports that there are over 300 million fraudulent sign-in attempts to their cloud services every day. Most data breaches involve weak, default or stolen passwords, so today, it is considered essential to have the extra step of multi-factor authentication (MFA) to configure access to all cloud services. What type of MFA is acceptable for business use? The NCSC recommends the following forms of MFA, in order of effectiveness: Using a physically separate extra factor - such as a FIDO2 key Using an authenticator app on a trusted device as an extra factor - such as Google Authenticator or Microsoft Authenticator Using an app-based code generator - an app is used to generate a one-time code Using a hardware-based code generator - a physical token is used to generate a code Using a message-based method - an email, SMS message or voice call See the page at https://www.ncsc.gov.uk/collection/mfa-for-your-corporate-online-services/recommended-types-of-mfa for details. In summary MFA is an extra barrier which creates a layer of security that is incredibly difficult for attackers to get past. Whether an attacker acquires your password via a phishing attack, stolen credentials from another breach or manages to crack it using a brute force attack, if you have MFA enabled, this will be your safeguard.
2FA or MFA requires the user to have two or more types of credentials before being able to access an account. Using two of the same type of authentication is not two factor.
Multi-factor authentication requires the user to have two or more types of credentials before being able to access an account.
© The IASME Consortium Ltd 2025 All rights reserved.