MFA is the minimum standard: combines multiple factors (something you know=password, something you have=app/hardware, something you are=biometrics) to prevent access even if one credential is compromised.
What is authentication
Authentication is the process of verifying the identity of a user or device to confirm they are who they claim to be. It is the first critical step in access control: without proper authentication, anyone could access systems and data. Methods include: passwords, multi-factor authentication (MFA), biometrics, digital certificates, and Single Sign-On (SSO). Robust authentication is the foundation of Zero Trust, identity security, and regulatory compliance (ISO 27001, NIS2, DORA).
Why it matters
Weak or shared credentials are the root cause of massive breaches: 80 percent of breaches involve unauthorized access through compromised credentials. MFA reduces risk to less than 1 percent according to studies. CISOs must: implement mandatory MFA on all remote access, enforce strong password policies with complexity requirements, integrate authentication with centralized directory (AD/Entra), monitor for abnormal login attempts, and implement adaptive authentication (location, device, time context). Regulations mandate strong authentication: ISO 27001 requires multiple authentication mechanisms; NIS2 mandates MFA for privileged users; DORA for critical financial services.
Key points
Strong passwords: 12+ characters, symbols, no predictable patterns. Secure storage in centralized directory with cryptographic hashing (bcrypt, Argon2), never in plain text.
Passwordless authentication: biometrics, WebAuthn, passwordless phone sign-in reduce password fatigue and phishing risk; adoption growing in modern enterprises.
Authentication monitoring: SIEM must alert on repeated failed attempts, impossible locations, access at abnormal hours, and attempts against administrative accounts.
Example: Implementing strong authentication in an enterprise
A company implements mandatory MFA after detecting 50 compromised accounts from phishing. Without MFA, attackers used stolen credentials for remote access. With MFA (Microsoft Authenticator plus FIDO2 hardware keys), even with valid passwords, attackers cannot access without the second factor the employee physically possesses or biometric. In parallel, they upgrade password policy: previously accepted eight characters; now requires 12+ with symbols. They integrate adaptive authentication: logins from unusual locations or hours require additional verification. Result: subsequent access attempts with compromised credentials fail at the second factor; SIEM alert fires automatically.
Common mistakes
- Making MFA 'optional' or only for administrators; automated attacks target regular user accounts; MFA must be mandatory for all.
- Using SMS as MFA second factor; it is weak against SIM swapping. Authenticator apps (TOTP) or hardware keys (FIDO2) are more secure.
- Not changing default passwords after account creation; many users inherit weak default credentials in directories; mandatory reset on first login is essential practice.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between authentication and authorization?
Authentication verifies who you are (valid credentials, correct MFA). Authorization defines what you can do with those privileges (permissions, roles, resource access). Example: authentication unlocks the front door with the right key; authorization defines which rooms you can enter with that key.
Why does MFA reduce breaches if it still requires passwords?
Because most attackers do not have access to the second factor (phone app, hardware key, biometrics). Phishing steals passwords but fails at the second factor. 99+ percent of automated attacks cannot continue with active MFA. Operational cost of defeating MFA is prohibitive for mass attackers.
What is passwordless authentication and why is it more secure?
Does not use passwords; uses biometrics (fingerprint, facial), hardware key (FIDO2), or trusted app notification. Eliminates phishing risk, credential stuffing, and password reuse. Microsoft, Google, and Apple offer it natively; adoption growing in enterprises.