What Is Multi-Factor Authentication (MFA)?
Multi-factor authentication requires users to verify their identity with two or more factors before accessing a system. It is the single most effective security control a business can implement, blocking over 99% of automated account compromise attacks.
Direct Answer
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more verification factors to access an account or system. The factors are: something you know (password), something you have (phone, security key), and something you are (fingerprint, face). MFA prevents attackers from accessing accounts even if they have stolen the password. It is now a minimum requirement for cyber insurance, Cyber Essentials certification, and most compliance frameworks.
MFA Methods Explained
Different MFA methods offer different levels of security and usability.
Authenticator App
Apps like Microsoft Authenticator generate time-based codes. More secure than SMS and works offline. Recommended for most businesses.
SMS Codes
A one-time code sent via text message. Better than no MFA, but vulnerable to SIM-swapping attacks. Use as a fallback, not primary method.
Hardware Security Keys
Physical devices (FIDO2/WebAuthn) that plug into USB or use NFC. The most secure MFA method — phishing-resistant and tamper-proof.
Biometric
Fingerprint or facial recognition on devices. Convenient and secure when combined with device-based authentication.
MFA Methods Compared
Security and usability trade-offs across common MFA methods.
| Feature | SMSBasic | Auth AppRecommendedRecommended | Security KeyHighest security |
|---|---|---|---|
| Phishing resistant | Partial | ||
| Works offline | |||
| SIM-swap resistant | |||
| User convenience | High | High | Medium |
| Cost per user | Free | Free | £20–£50 |
| Meets Cyber Essentials |
Frequently Asked Questions
BEC is a type of fraud where attackers impersonate executives or suppliers to trick employees into transferring funds or sharing sensitive data. BEC attacks increased 33% in 2025. The average loss per BEC incident is $137,000. Even organisations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt.
The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.
The top threats are phishing (85% of breaches), ransomware (doubled year-on-year), business email compromise (increased 33% in 2025), and supply chain attacks (35.5% of all breaches now originate from third parties). AI-powered attacks are accelerating all of these threat categories.
Ransomware is malicious software that encrypts your data and demands payment for its return. Approximately 19,000 UK businesses were hit by ransomware in 2025. The median UK ransom demand has doubled to $5.37 million, and average recovery costs reach $2.58 million excluding the ransom itself.
UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.
Deploy MFA Across Your Business
AMVIA can deploy and manage MFA across your organisation — Microsoft 365, VPN, cloud apps, and more.