1300 002 001
Follow Us  —Fb. /Lk. /X. /Ig.

Glossary · Multi-Factor Authentication

MFA

A sign-in control that requires two or more proofs of identity — typically a password plus a phone, security key, or biometric — before granting access.

MFA (Multi-Factor Authentication) requires a user to present at least two independent proofs of identity: something they know (password), something they have (phone, security key), or something they are (biometric). The point is that stealing a password alone is no longer enough to compromise an account.

The methods, ranked by resistance to attack

  • SMS one-time codes — better than nothing, but vulnerable to SIM-swap and phishable.
  • Authenticator app push or TOTP — strong against bulk phishing, weaker against targeted AiTM (Adversary-in-the-Middle) attacks that proxy the login session in real time.
  • FIDO2 security keys and passkeysphishing-resistant. The cryptographic challenge is bound to the legitimate domain, so a proxy site can’t replay it. This is the baseline that’s increasingly expected for privileged accounts.

What’s changing

AiTM phishing kits are now commodity, which means SMS and push-based MFA are no longer sufficient for accounts that matter. Federal guidance and major vendors are converging on phishing-resistant MFA for administrators, finance approvers, and anyone with privileged access.

How Symsafe rolls it out

Every Microsoft 365 tenant Symsafe manages has MFA enforced on all users via Conditional Access. Migration to phishing-resistant methods (FIDO2 keys for admins, passkeys for general users) is sequenced as part of the security uplift roadmap.

— Related services

← Back to glossary