MFA
Authentication method that requires at least two distinct factors to verify a user's identity. Typically combines something you know (password), something you have (key, smartphone) and something you are (biometrics).
What MFA is
MFA (Multi-Factor Authentication) has become a near-mandatory measure for any remote or privileged access. It massively reduces the risk that a password compromise alone gives access to the target account.
The three families of factors
- Something you know — password, PIN.
- Something you have — smartphone (TOTP or push), hardware security key (FIDO2 / WebAuthn), smart card.
- Something you are — fingerprint, facial recognition (Windows Hello, Touch ID).
True MFA combines at least two different families. Two passwords are not MFA.
MFA and phishing resistance
Not all MFA methods are equal. SMS codes and TOTP (Google Authenticator, Microsoft Authenticator) can be intercepted via AiTM. Hardware FIDO2 / WebAuthn keys are phishing-resistant — they cryptographically verify the domain.
Hexceos recommendation for admin accounts: mandatory FIDO2 MFA, no SMS, no TOTP.
MFA at Hexceos
We support our clients with Conditional Access deployment (Microsoft Entra ID), with the choice and rollout of FIDO2 keys, and with migration from SMS / TOTP MFA to phishing-resistant factors. See cybersecurity services.
Last updated: 19 May 2026