MFA vs 2FA: What’s the Difference, and Which Does Your Business Need?

Smartphone showing a multi-factor authentication prompt

MFA and 2FA get used interchangeably so often that it’s worth clearing up what they actually mean, and what we recommend regardless of which term you’ve heard.

What’s the actual difference?

Two-Factor Authentication (2FA) means logging in with exactly two things: usually a password, plus one additional factor — a code sent by text, a code from an authenticator app, or a fingerprint.

Multi-Factor Authentication (MFA) is the broader term, requiring two or more factors. Every 2FA setup is technically a form of MFA. The reverse isn’t always true — some MFA setups use three or more factors for especially sensitive access.

In practice, for almost every business, this distinction doesn’t matter very much. What matters is whether a second verification step is required at all, on top of a password, for every account.

Our position: MFA, enforced everywhere, no exceptions

We don’t tier this by how “sensitive” a particular account looks. We enforce a second verification step on every account, for every user, across every system we manage — email, Microsoft 365 or Google Workspace, VPN, and any other business-critical application.

Here’s why we don’t treat this as optional or scale it down for smaller, less sensitive-looking businesses: a compromised account doesn’t stay contained to “low-sensitivity” data. An attacker who gets into one mailbox can use it to launch convincing phishing attacks against your clients and suppliers, access financial information, or pivot into other systems entirely. The size of your business or the apparent sensitivity of one account doesn’t reduce the value of stopping that compromise in the first place.

Microsoft’s own data shows that enforcing this kind of second verification step blocks the vast majority of automated account takeover attempts. It is included at no extra cost in virtually every Microsoft 365 and Google Workspace licence. The only reason it isn’t already protecting every business is that it isn’t switched on and enforced by default — someone has to do that deliberately.

What this means for your business

If you’re already using Microsoft 365 or Google Workspace, the capability to enforce this across your business already exists in your licence. It typically isn’t enabled or enforced by default, which is one of the most common gaps we find during a free site survey.

We enforce this as standard for every managed support client, across every account, with no exceptions for “smaller” or “less sensitive” parts of the business.

Why this matters for Cyber Essentials

Multi-factor authentication is one of the technical controls assessed as part of Cyber Essentials certification. If you’re working towards certification, or maintaining it year on year, having this properly enforced across your business is one of the more straightforward boxes to tick — and one of the most commonly missed before a proper review.

For more on what we configure as part of your Microsoft 365 security, see our Microsoft 365 Security page. For the full picture of how this fits into your wider security setup, see our Security page.

One monthly fee. One number to call.

Whichever term you’ve heard — MFA or 2FA — what matters is whether it’s actually switched on. We make sure it is, across your whole business.

Book your free site survey   or call +44 (0) 207 403 4031

FAQ

Common questions

What is the difference between MFA and 2FA?

Two-Factor Authentication (2FA) requires exactly two verification steps to log in, usually a password plus one additional factor such as a text code or an authenticator app. Multi-Factor Authentication (MFA) is the broader term for requiring two or more factors. Every 2FA setup is technically a form of MFA. In practice, the distinction matters less than whether a second verification step is enforced at all.

Is 2FA enough, or do we need full MFA?

We don’t recommend tiering this decision by how sensitive a particular account looks. We enforce a second verification step on every account across every business we manage, with no exceptions, because a compromised account in any part of the business can be used to attack other systems, clients, or suppliers, regardless of how sensitive that specific account initially appeared.

Does MFA cost extra on top of our Microsoft 365 or Google Workspace licence?

No. Multi-factor authentication is included at no additional cost in virtually every Microsoft 365 and Google Workspace plan. It typically isn’t switched on or enforced by default, which means many businesses are paying for a security feature they aren’t actually using.

Is multi-factor authentication required for Cyber Essentials?

Yes, MFA is one of the technical controls assessed as part of Cyber Essentials certification. Having it properly enforced across all accounts is one of the more straightforward requirements to meet, and also one of the most commonly missed before a formal review.

Can multi-factor authentication be bypassed?

No security control is completely unbeatable, but MFA significantly reduces the risk of account compromise compared to a password alone. Even if an attacker obtains a password through a data breach or phishing attempt, they cannot complete the login without the second factor. This is why we treat it as a baseline requirement rather than an optional extra.

Is MFA enforcement included in a Network Fish managed support contract?

Yes. We enforce multi-factor authentication across every account and platform as a standard part of our managed support service, at no additional charge.