MFA (Multi-Factor Authentication)

MFA stands for Multi-Factor Authentication. Authentication that requires more than one type of credential: something you know (password), something you have (phone, hardware key, passkey-bearing device), something you are (biometric). 2FA is a specific subset of MFA with exactly two factors. The umbrella concept that underpins every modern authentication-hardening recommendation; the structural defense against credential-only compromise.

What it means in practice

The MFA tier matters more than the MFA label. SMS-based MFA defeats casual credential reuse but fails against SIM swapping and real-time phishing. TOTP-based MFA defeats SIM swapping but fails against real-time phishing kits. Push-based MFA (Duo, Microsoft Authenticator push) defeats both but fails against MFA fatigue (the attacker spams push notifications until the user approves one). Hardware-key MFA (FIDO2/WebAuthn, YubiKey, Titan) defeats all of the above by structural cryptographic binding to the domain origin. Passkey-based MFA (the FIDO2 model with software keystore) inherits the same phishing resistance. The shift across tiers is the operational defense; “I have MFA enabled” without specifying the tier is not a meaningful security claim in the 2026 threat environment.

Where it shows up

Required by: every major service as a strongly-recommended option, financial-services regulators (SEC, FFIEC, FCA equivalents) increasingly mandating non-SMS MFA for protected accounts, and corporate-IT environments where MFA is the baseline for access to enterprise resources. The Verizon DBIR consistently finds that credential-related compromise is the dominant initial-access vector across years and that MFA adoption (specifically, MFA tier above SMS) is the single highest-leverage user-side defense available. The 2024-26 trend toward passkeys and FIDO2 represents the structural endgame: passwords plus MFA collapse into a single cryptographic credential that defeats most phishing and stuffing attacks by design.

What you can change today

Audit MFA tier across your top 10 accounts. For each: identify the current tier (SMS, TOTP, push, hardware key, passkey), determine whether the service supports a higher tier, and migrate where possible. The priority order is structural rather than risk-based: primary email first (the cascade master), password manager second (the credential master), financial accounts third (the immediate-loss tier), then social media that hosts your audience, then everything else. Where a service still requires SMS as the only second factor (some banks, some legacy enterprise tools), add a port-out PIN with the carrier as the compensating control while you wait for the service to support better options.

Related articles