Multi-Factor Authentication
A login security control requiring two or more verification factors so a stolen password alone is not sufficient to compromise an account.
In detail
Multi-Factor Authentication (MFA) requires a user to provide two or more of: something they know (password or PIN), something they have (authenticator app, hardware token, SMS code, passkey), or something they are (biometric). MFA dramatically reduces account compromise risk because an attacker who steals a password still cannot log in without the second factor. TOTP authenticator apps (Google Authenticator, Authy, 1Password) and hardware keys (YubiKey) are considered stronger than SMS MFA, which is vulnerable to SIM-swapping. The ACSC Essential Eight includes MFA as one of its eight mandated controls.
Why it matters for Australian business
MFA is the single highest-return security control available to Australian businesses today. The ACSC Essential Eight Maturity Model requires MFA for all users on all systems by Maturity Level 2. Most credential-based account takeovers targeting Australian SMBs would be stopped by MFA alone. We recommend MFA as a non-negotiable baseline for any production system and include it in every AI infrastructure deployment.