MFA

Multi-Factor Authentication (MFA) requires users to verify their identity using two or more factors: something they know (password), something they have (phone/hardware key), or something they are (biometric). MFA dramatically reduces account takeover risk even when passwords are compromised. TOTP authenticator apps and hardware security keys are significantly more phishing-resistant than SMS-based MFA. Most compliance frameworks (SOC 2, PCI-DSS, HIPAA) require MFA for privileged access.

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack