In plain English
MFA means logging in requires more than just a password. Even if an attacker steals or guesses your password, they cannot access your account without also having your phone, hardware key, or biometric. It is one of the most effective controls against account takeover and is a core requirement of the Essential Eight.
Full definition
Authentication factors fall into three categories: knowledge factors (passwords, PINs), possession factors (authenticator apps, SMS codes, hardware tokens), and inherence factors (fingerprint, face ID). True MFA requires at least two different factor types.
-resistant MFA — such as hardware keys or Windows Hello for Business — is the strongest form. SMS-based codes, while better than no MFA, can be bypassed through SIM-swapping attacks and are not considered phishing-resistant.
The 2 requires MFA for all internet-facing services and for privileged accounts. Maturity Level 3 requires phishing-resistant MFA across all user and admin accounts.