Multifactor authentication. You have probably heard the term. You may even have it set up somewhere and find it mildly annoying when it asks you to tap your phone before logging in. But understanding what it actually does and why it matters makes the minor inconvenience much easier to accept.
Why Passwords Are Not Enough
Passwords have one fundamental problem: they can be stolen without you knowing. Phishing attacks trick you into entering your password on a fake login page. Data breaches expose passwords from other services, and people reuse passwords across accounts. Credential stuffing attacks take those leaked passwords and try them against Microsoft 365, banking apps, and email accounts automatically.
A stolen password used to mean a compromised account. With multifactor authentication in place, a stolen password alone is not enough.
How MFA Works
Multifactor authentication requires two or more of these three categories to verify your identity:
- Something you know: Your password or PIN
- Something you have: Your phone, a hardware key, or an authenticator app
- Something you are: A fingerprint, face scan, or other biometric
When you log in with MFA enabled, entering your password is only the first step. You then prove you are physically present by approving a notification on your phone, entering a code from an authenticator app, or tapping a hardware key. An attacker who has your password but not your physical device cannot complete the login.
The Microsoft Authenticator App
For Microsoft 365 accounts, the Microsoft Authenticator app is the recommended MFA method. After entering your password, you receive a push notification on your phone. Tap Approve, and you are in. The whole process takes a few seconds and requires no typing.
The app also supports number matching, which displays a two-digit number on your login screen that you must enter in the app before approving. This prevents attackers from bombarding you with approval requests and hoping you tap one accidentally, a technique called MFA fatigue.
Implementing MFA in Your Organization
For Microsoft 365 organizations, MFA can be enforced through Security Defaults, which turn it on for all users with a single switch, or through Conditional Access Policies, which give administrators more control over when and how MFA is required.
Most organizations should move toward Conditional Access Policies rather than per-user MFA settings, which Microsoft is phasing out. Conditional Access lets you require MFA based on factors like sign-in location, device compliance, and risk level.
The impact of enabling MFA on your Microsoft 365 tenant is significant. Microsoft's own data suggests that MFA blocks more than 99 percent of account compromise attacks. It is the single most effective security control available, and it requires no specialized hardware or complex configuration to deploy.
