What is multi-factor authentication?
Multi-factor authentication adds extra steps to the login process. Instead of just entering a password, users must also prove their identity through a second method — like approving a notification on their phone or entering a code from an authenticator app.
The idea is simple: passwords alone are not enough. They get stolen through phishing, leaked in data breaches, or guessed through brute force. MFA means that even if someone gets your password, they still cannot log in without that second factor.
The "factors" in multi-factor authentication fall into three categories: something you know (a password, PIN, or security question), something you have (a phone, hardware security key, or smart card), and something you are (a fingerprint, face scan, or other biometric).
True MFA requires at least two factors from different categories. Entering a password and then a security question is technically two steps, but both are "something you know," so it does not count as MFA.
Why is MFA so important?
The numbers tell the story. Microsoft has reported that MFA blocks over 99.9% of account compromise attacks. That reflects the reality that most attacks rely on stolen or weak passwords, and MFA makes those passwords useless on their own.
Without MFA, a single phishing email can give an attacker full access to your company's data. With MFA, that stolen password is just the first hurdle. The attacker would also need access to the user's phone, security key, or fingerprint — which is dramatically harder to obtain.
For organizations in regulated industries, MFA is increasingly not optional. Frameworks like NIS2, SOC 2, and ISO 27001 all expect or require MFA as a baseline security control.
How does MFA work in Microsoft Entra ID?
Entra ID offers several MFA methods, and you can choose which ones to allow based on your security requirements.
Microsoft Authenticator app. Microsoft's recommended method. Users approve sign-in requests by tapping a notification on their phone. It supports number matching, where the user must enter a number displayed on the login screen into the app — this prevents MFA fatigue attacks where users blindly approve notifications.
FIDO2 security keys. Physical hardware keys (like YubiKeys) that plug into a USB port or connect via NFC. These are the most secure MFA method because they are phishing-resistant — the key cryptographically verifies the website you are signing into.
Windows Hello for Business. Uses biometrics (face recognition or fingerprint) or a device PIN tied to the specific computer. A good option for organizations with managed Windows devices.
SMS and voice calls. A code sent via text or automated phone call. This still works but is considered less secure because SMS messages can be intercepted through SIM swapping attacks. Microsoft recommends moving away from SMS-based MFA.
OATH tokens. Time-based one-time passwords generated by apps like Google Authenticator or hardware tokens. Widely supported and a reasonable middle ground.
How do you enforce MFA in Entra ID?
The recommended approach is through conditional access policies, which give you granular control over when MFA is required. Common configurations include requiring MFA for all users all the time (the simplest and most secure option), requiring MFA only when signing in from outside the corporate network, requiring MFA for specific high-risk applications, or requiring MFA only for risky sign-ins (available with Entra ID P2).
Conditional access policies require at least Entra ID P1 licensing. Microsoft also offers "security defaults," a free all-or-nothing MFA policy for organizations that do not have P1. It is better than nothing, but it lacks the flexibility of conditional access.
What is MFA fatigue and how do you prevent it?
MFA fatigue (also called "MFA bombing" or "push fatigue") is a social engineering attack where an attacker repeatedly triggers MFA prompts, hoping the user will eventually approve one just to make it stop. This technique was used in several high-profile breaches, including the 2022 Uber hack.
To counter this, Microsoft introduced number matching in the Authenticator app. Instead of a simple "Approve/Deny" prompt, the user sees a two-digit number on the login screen and must type that same number into the app. This forces the user to actively look at the sign-in request rather than tapping "Approve" on autopilot.
Number matching is now the default for Authenticator push notifications in Entra ID. If you have not confirmed this is enabled in your tenant, it is worth checking.
What about passwordless authentication?
Passwordless authentication is the logical next step beyond MFA. Instead of using a password plus a second factor, you remove the password entirely. The authentication relies solely on more secure factors like biometrics and hardware keys.
In Entra ID, passwordless options include Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app in passwordless mode. Passwordless is generally more secure and more convenient — no password means no password to steal, phish, or forget. The transition takes time though. Not every application supports passwordless methods, and users need training. Most organizations run passwords and passwordless side by side for a while.
MFA and identity governance
MFA protects the front door — the sign-in process. But strong authentication is only one piece of the security picture. Even if MFA prevents unauthorized sign-ins, you still need to manage what authenticated users can access.
That is where identity governance complements MFA. MFA ensures the person logging in is who they claim to be. Governance ensures they only have access to what they need for their current role, and that access is regularly reviewed and cleaned up.
Adcyma works alongside your Entra ID MFA configuration. While MFA handles authentication security, Adcyma handles the governance layer: making sure the right people have the right access, and that access does not accumulate unchecked over time.