What is multi-factor authentication
In this guide & where to go next
Part of the Small Business Cybersecurity series. Related: Why Is Mfa Important For BusinessSigns Your Business Has Been Hacked
Want it handled? IT Cares — hands-on managed IT across Canada.
Multi-factor authentication (MFA) is a security method that requires two or more proofs of identity before granting access — typically something you know (a password) plus something you have (a phone or security key) or something you are (a fingerprint). Because a stolen password alone is no longer enough to log in, MFA blocks the vast majority of account-takeover attacks and is the single most cost-effective control a Canadian business can deploy.
The three factors explained
MFA combines categories of evidence so that compromising one does not grant access:
- Something you know: a password or PIN.
- Something you have: a phone running an authenticator app, a one-time code, or a hardware security key.
- Something you are: a biometric such as a fingerprint or face scan.
True MFA draws on at least two different categories. Two passwords are not MFA, because they fall in the same category. The strength comes from the attacker needing to defeat fundamentally different types of proof at once — something far harder than guessing or stealing a single password.
Common MFA methods, ranked
Not all second factors are equally secure. From strongest to weakest:
- Hardware security keys (FIDO2): phishing-resistant and the gold standard.
- Authenticator apps with push approval or rotating codes: strong and convenient.
- SMS or email codes: better than nothing, but vulnerable to SIM-swapping and interception.
For most small businesses, an authenticator app strikes the best balance of security and ease of use, with hardware keys for high-risk accounts such as administrators and finance. Avoid relying on SMS for your most sensitive logins where stronger options exist.
Where every business should enable MFA
Prioritize the accounts that would do the most damage if stolen:
- Email — the master key, since it can reset every other password.
- Banking and payment platforms.
- Cloud and productivity suites like Microsoft 365 and Google Workspace.
- Remote access — VPNs, RDP, and remote-support tools.
- Administrator accounts for any critical system.
Enabling MFA on email and remote access first closes the doors attackers use most. From there, extend it to every business application that supports it. Modern cloud platforms make rollout straightforward, often at no extra licensing cost.
MFA limitations and best practices
MFA is powerful but not magic. Attackers attempt to bypass it through MFA fatigue (spamming push prompts until someone approves), real-time phishing proxies, and SIM-swaps against SMS codes. Counter these with number-matching prompts, phishing-resistant hardware keys for sensitive roles, and by training staff never to approve a login they didn't initiate.
Also plan for recovery: register backup methods and keep secure recovery codes so a lost phone doesn't lock out staff. Done well, MFA dramatically reduces breach risk while remaining nearly invisible to users in day-to-day work — a rare win-win in security.
FAQ
Is two-factor authentication (2FA) the same as MFA?
2FA is a type of MFA. Two-factor means exactly two proofs of identity, while multi-factor means two or more. In everyday use the terms are often interchangeable. Both are vastly stronger than a password alone. The key point is using factors from different categories — knowledge, possession, and inherence — so one stolen credential cannot grant access.
Is SMS-based MFA safe enough?
SMS codes are far better than no MFA, but they are the weakest common method. Attackers can intercept texts or hijack your number through SIM-swapping. For most accounts SMS is acceptable, but for email, banking, and admin logins, use an authenticator app or hardware key instead. The stronger the account's value, the stronger the factor should be.
Will MFA slow down my employees?
Very little. Modern authenticator apps approve logins with a single tap, and trusted devices often need re-verification only periodically. The minor friction is far outweighed by the protection: MFA stops the overwhelming majority of account-takeover attacks. Most staff adapt within days, and the time saved by avoiding a single breach dwarfs any small daily inconvenience.
Can attackers get around MFA?
Sometimes, through MFA-fatigue prompts, real-time phishing, or SIM-swaps against SMS. These attacks are far harder than stealing a password, and you can defend against them with number-matching, phishing-resistant hardware keys, and staff training to reject unexpected prompts. MFA isn't perfect, but it raises the bar so high that most attackers move on to easier targets.