It’s been a long time since passwords were enough to block the black hats. Enter: MFA. In this post, learn:
- What MFA is
- MFA mandates and requirements (by industry)
- Best practices for launching a multifactor authentication tool
- Benefits of a multi-step authenticator
- The best, most compliant, MFA tools available in 2025
What is MFA?
MFA (multifactor authentication) is a security method that requires users to verify their identity in at least two different ways before accessing an account or system. It’s also known as:
- Two-factor authentication (2FA)
- Dual-factor authentication
- Multi-factor authentication
Types of multifactor authentication verification
Multifactor authentication relies on a few factors to verify a user’s identity:
- Knowledge-based authentication relies on something you know (your pin number, a password, your first pet’s name) to verify your identity.
- Possession-based authentication relies on something you have to verify your identity, like an authentication app on your phone.
- Biometric authentication uses something you are—think, fingerprints or face scans.
- Location-based authentication uses your location to verify it’s you.
How MFA works
MFA works by requiring users to provide multiple forms of identification when logging into an account. For example, let’s say you need to log into your email:
- Browse to your email application.
- Enter your username and password (something you know).
- The email app texts your phone (something you have) an authentication code.
- You input the authentication code into the email app, and you’re granted access to your email.
In that example, there were two to three levels of authentication—knowledge-based, possession-based, and biometric (depending on how you unlocked your phone).
The entire MFA process adds a few extra seconds to your regular login time.
Is MFA required?
MFA is becoming increasingly required across various industries and organizations.
- Starting February 3rd, 2025, Microsoft requires MFA for all user accounts accessing the Microsoft 365 admin center.
- The IRS requires all tax professionals use MFA before accessing systems containing taxpayer information.
- MFA is now mandatory for many cyber insurance policies, and failure to implement it may result in non-renewal or increased premiums.
FTC MFA requirement
The FTC MFA requirement applies to any individual accessing customer information on your system—unless “your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.” Learn more here.
Industry-specific MFA requirements
Several industries have specific MFA requirements:
- Finance
- Healthcare
- Defense
- Law enforcement
While MFA is not universally mandated for all online accounts, it’s strongly recommended as a security best practice. (And it’s one of the easiest to implement, too.) Cybersecurity experts and organizations like CISA (Cybersecurity and Infrastructure Security Agency) advise enabling MFA whenever it’s offered to significantly reduce the risk of account compromise.
How to set up MFA
- Choose an MFA solution that works with your current systems.
- Enable MFA on all user accounts.
- Select at least two authentication methods.
- Train employees on security procedures.
- Document your security protocols.
1. Choose a solution that works with your current systems
Consider compatibility with your existing infrastructure. Does your tech stack already have user authentication built-in, but not enabled?
Look for a multifactor solution that:
- You already own: Most tax software products for taxpayers and tax professionals offer MFA. Check your software’s security settings before adding anything new to your tech stack, as adding MFA may be as simple as clicking, enable.
- Is compatible with your existing infrastructure: Check which authenticators work best with your existing software and applications by searching “multifactor authentication for [name of app]”. If you’re not finding many search results (or you’re finding too many) consider contacting a security professional to help you evaluate solutions.
2. Enable MFA on all user accounts
Administrators: Don’t make it an option. Revoke access to MFA-required software and apps until users set up your company-approved authenticator.
3. Select at least two authentication methods
The core principle of MFA is using multiple factors (at least two) from different categories:
- Something you know (like a password)
- Something you have (like a smartphone for verification codes)
- Something you are (like a fingerprint)
By selecting at least two different types of authentication methods from these categories, you create a more secure system than using just one method (like a password alone).
⇒ How to choose your authentication methods
When selecting which authentication methods to implement, consider the security level required for that particular tool. For example, experts recommend using biometrics (something you are) plus another method for high-security data, such as financial information or health records.
4. Train employees on security procedures
Educate your employees on how to set up multifactor authentication on their devices, then walk them through how it will impact their workday. Personally, MFA only adds a few seconds to my login time, but every user’s experience will vary based on skill level and the type of implementation chosen.
5. Document your process
Record an employee training video for any new (or existing) employees to reference. Include the MFA procedures in your security plan, track system access points—and don’t forget to monitor for unusual authentication attempts.
Benefits of MFA: Little effort, big results
The number one benefit of MFA is that it stops unauthorized users from accessing your information. For a few extra seconds of set-up and waiting, you can near-guarantee that the only person seeing your stuff is you.
When implemented correctly, MFA delivers the following benefits:
- Blocks unauthorized access.
- Stops phishing and social engineering attacks from becoming breaches.
- Keeps you compliant with federal regulations.
- Shows clients and customers that you prioritize data security.
MFA tools available in 2025
Looking for the most secure, compliant multifactor authentication tools available today? Start here.
| MFA Tool | Compliances | Benefits | |
|---|---|---|---|
| Cisco Duo | SOC 2, ISO 27001, HIPAA, PCI DSS, and more |
|
|
| Google Authenticator | HIPAA, SEC, multiple NIST, and more |
|
|
| LastPass MFA | SOC 2, ISO 27701, ISO 27001, and more |
|
|
| Microsoft Authenticator | FIPS 140; other compliances can be enabled with the help of Microsoft. Learn more here. |
|
Learn more about securing your business with technology. Subscribe to our blog today.
