Your Accounts

Multi-Factor Authentication (MFA)

Foundational

Multi-factor authentication means proving it's really you with a second step — an app prompt, a code, or a security key — on top of your password. It's the single most effective thing you can switch on, because even if someone steals your password, they still can't get in without that second step. Turn it on everywhere, and treat every prompt as something to take seriously.

A password can be guessed, phished, or leaked. MFA adds a second lock that an attacker almost never has, which is why an account with MFA is dramatically harder to break into. For us it's not optional on systems that touch company or customer data.

Attackers know MFA blocks them, so they've adapted: they try to trick you into approving a prompt you didn't start ("MFA fatigue"), or into reading them a code. The key habit is simple — only ever approve a prompt you personally just triggered, and never share a code with anyone.

Use it everywhere

DoTurn on MFA for every work account that offers it, and for your important personal accounts too.
DoPrefer an authenticator app or a security key over text-message codes where you get the choice — they're harder to intercept.
DoKeep your MFA method (phone/app) secure and updated, and tell IT before you change or lose the device it's on.
AlwaysOnly approve an MFA prompt that you yourself just triggered by logging in; if a prompt arrives out of nowhere, deny it and report it.

Don't let it be defeated

DoTreat an unexpected MFA prompt as a warning sign — it may mean someone has your password and is trying to get in. Deny it and tell security.
Do notApprove a prompt just to make it stop, or because you assume it's a glitch — repeated prompts can be an attacker hoping you'll cave.
NeverRead out, type in, or share an MFA code because someone asked — by phone, message, or email. A real colleague or IT will never need your code.
NeverTurn off, bypass, or "temporarily" skip MFA on a work account.

Ask yourself

AskDid I just try to log in? If not, why is this prompt appearing — and should I deny and report it?
AskIs anyone asking me for a code or to approve something? That's a red flag.
AskIs MFA actually switched on for this account?

Why it matters: MFA stops the overwhelming majority of account break-ins, because stolen passwords alone become useless. The only way past it is to trick you into approving or sharing — so an account with MFA, used by someone who never approves an unexpected prompt and never shares a code, is one of the hardest targets an attacker can face.