Multi-factor authentication (MFA) requires more than one proof of identity at sign-in—typically something you know (password) plus something you have (phone app, hardware key) or something you are (biometric).
Why passwords alone fail
Phishing, password reuse, and credential stuffing mean a correct password no longer proves a legitimate user. MFA blocks large classes of account takeover, especially business email compromise.
Not all MFA is equal
- SMS works better than nothing but is phishable and SIM-swappable
- Authenticator apps improve the baseline
- Number matching and phishing-resistant methods (FIDO2/passkeys, hardware keys) are stronger
SMB rollout tips
- Start with admins and remote access the same day
- Cover all users before “phase 2 someday”
- Plan break-glass accounts carefully
- Train people on approval fatigue and MFA prompt attacks
Need a clear baseline for your environment?
Start with a free 15-minute review. When a structured assessment is the right next step, ImpetraInsights™ can provide multi-framework scoring and an executive-ready report—including CMMC and HIPAA readiness paths.