MFA (multi-factor authentication) is logging in with a second proof alongside your password — usually an approval or code in an app on your phone. Even if a password leaks, an attacker still can't get in. It is the most effective basic measure against account takeovers.

MFA in practice

Phishing is almost always about capturing passwords; MFA renders a stolen password virtually worthless in one stroke. That is why MFA appears in every security guideline — from the basic advice of the NCSC to the duty-of-care measures under NIS2 — and cyber insurers increasingly require it as a condition.

The set-up does need care, though: MFA should be on all accounts, including admin accounts and mailboxes of departed employees, and preferably phishing-resistant (app approval with number matching instead of SMS). How this lands in Microsoft 365 or Google Workspace is covered in the NIS2 checklist for SMBs.

Related terms

  • SSO — SSO (single sign-on) means that employees log in once — usually with their Microsoft or Google account — and thereby automatically gain access to all connected applications.
  • Conditional access — Conditional access is a security mechanism that assesses each login attempt to decide whether it is allowed, blocked or requires extra verification — based on who is logging in, from which device, from which location and with what risk.
  • Tenant — A tenant is your own, shielded environment within a cloud service such as Microsoft 365 or Google Workspace: all users, mailboxes, files, settings and security rules of your organisation together.

Further reading

Part of the RiverFlows glossary · Updated . Missing a term? Let us know.