Multi-factor authentication (MFA) strengthens authentication by requiring two or more independent factors before granting access: something you know (password), something you have (phone, hardware key), or something you are (biometrics). MFA blocks ~99.9% of automated account takeover attempts per Microsoft’s published data.
Factor strength, ranked: passkeys/FIDO2 (strongest), push notifications, TOTP apps, email codes, SMS codes (weakest, vulnerable to SIM-swap). The 2026 best practice for customer portals: passkeys primary, TOTP backup, SMS only for account recovery.
See our authentication portal article for current patterns.