What MFA is
Multi-Factor Authentication requires two or more proofs of identity at sign-in: something you know (password), something you have (a phone, hardware token, passkey), something you are (biometric). For Microsoft 365 tenants, MFA is enforced through Entra ID — either via per-user MFA settings (deprecated), security defaults (basic), or Conditional Access (recommended).
Why phishing-resistant MFA matters now
Standard MFA via SMS or phone-based authentication can be phished or SIM-swapped. The ACSC and Microsoft both now recommend phishing-resistant MFA — FIDO2 security keys, Windows Hello for Business, or passkeys in Microsoft Authenticator — for privileged accounts and remote access. Essential Eight Maturity Level 2 expects phishing-resistant MFA on internet-facing systems and privileged accounts.