MFA is an effective way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. It adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key. A familiar example of MFA at work is the two factors needed to withdraw money from an ATM. Your ATM card is something that you have and your PIN is something you know.
By tying user access to multiple, different types of authentication factors, it’s much harder for a bad actor to access your Salesforce environment. For example, even if a user’s password is stolen, the odds are very low that an attacker will also be able to guess or hack a code from the user’s authentication app.