Multi-factor authentication exists because passwords alone have failed as a primary credential. Phishing campaigns routinely capture valid username-password pairs, credential stuffing attacks replay them at scale across multiple services, and data breaches expose them by the millions. MFA raises the cost of using a stolen credential by requiring a second factor that the attacker does not have: something the user physically holds (a hardware token, a phone running an authenticator app), something the user is (biometric), or a one-time code that expires before it can be replayed.
The three factor categories are: something you know (password, PIN), something you have (hardware key, authenticator app, SMS code), and something you are (fingerprint, facial recognition). Two factors from different categories are required for the authentication to qualify. An approach that combines a password with a security question asks for two things you know and does not count. For most enterprise use cases, the practical combination is password plus authenticator app, with hardware security keys reserved for privileged accounts and high-risk roles.
ISO 27001 Annex A.8.5 requires secure authentication for all access to systems that hold information assets, and current auditor expectations increasingly treat MFA as the baseline rather than a supplementary control. NIS2 Article 21 includes network and information system access control among the required security measures. For organisations mid-market in Europe, MFA deployment is typically straightforward for cloud and SaaS applications and significantly harder for legacy on-premises systems that pre-date modern authentication standards. The gap between what is easy to MFA and what actually needs it is often where residual credential risk concentrates. The Askara Solutions agent surfaces that gap as a risk register entry, mapping the systems that require MFA under your security policy against those that currently implement it, so the distance between policy intent and operating reality is visible before an auditor finds it.