MFA

MFA combines two or more different factor categories, so a stolen password alone can’t grant access. Not all factors are equal: SMS one-time codes are phishable and SIM-swappable, and push approvals are vulnerable to MFA-fatigue (prompt-bombing) attacks, while phishing-resistant factors such as FIDO2/WebAuthn hardware keys bind the credential to the legitimate site and are the strongest option.