MFA and 2FA get used interchangeably so often that it’s worth clearing up what they actually mean, and what we recommend regardless of which term you’ve heard.
What’s the actual difference?
Two-Factor Authentication (2FA) means logging in with exactly two things: usually a password, plus one additional factor — a code sent by text, a code from an authenticator app, or a fingerprint.
Multi-Factor Authentication (MFA) is the broader term, requiring two or more factors. Every 2FA setup is technically a form of MFA. The reverse isn’t always true — some MFA setups use three or more factors for especially sensitive access.
In practice, for almost every business, this distinction doesn’t matter very much. What matters is whether a second verification step is required at all, on top of a password, for every account.
Our position: MFA, enforced everywhere, no exceptions
We don’t tier this by how “sensitive” a particular account looks. We enforce a second verification step on every account, for every user, across every system we manage — email, Microsoft 365 or Google Workspace, VPN, and any other business-critical application.
Here’s why we don’t treat this as optional or scale it down for smaller, less sensitive-looking businesses: a compromised account doesn’t stay contained to “low-sensitivity” data. An attacker who gets into one mailbox can use it to launch convincing phishing attacks against your clients and suppliers, access financial information, or pivot into other systems entirely. The size of your business or the apparent sensitivity of one account doesn’t reduce the value of stopping that compromise in the first place.
Microsoft’s own data shows that enforcing this kind of second verification step blocks the vast majority of automated account takeover attempts. It is included at no extra cost in virtually every Microsoft 365 and Google Workspace licence. The only reason it isn’t already protecting every business is that it isn’t switched on and enforced by default — someone has to do that deliberately.
What this means for your business
If you’re already using Microsoft 365 or Google Workspace, the capability to enforce this across your business already exists in your licence. It typically isn’t enabled or enforced by default, which is one of the most common gaps we find during a free site survey.
We enforce this as standard for every managed support client, across every account, with no exceptions for “smaller” or “less sensitive” parts of the business.
Why this matters for Cyber Essentials
Multi-factor authentication is one of the technical controls assessed as part of Cyber Essentials certification. If you’re working towards certification, or maintaining it year on year, having this properly enforced across your business is one of the more straightforward boxes to tick — and one of the most commonly missed before a proper review.
For more on what we configure as part of your Microsoft 365 security, see our Microsoft 365 Security page. For the full picture of how this fits into your wider security setup, see our Security page.
One monthly fee. One number to call.
Whichever term you’ve heard — MFA or 2FA — what matters is whether it’s actually switched on. We make sure it is, across your whole business.
