Multi-factor authentication is combining 2 or more of something you know (password, pin), something you have (usb key, phone, …) and something you are (fingerprint, etc.). It dramatically lowers your risk if you require at least 2 different types from this list. But why?
Let’s first talk about the risks for losing control of one of these factors. And, demonstrate how they are uncorrelated, independent risks.
First, the thing you are. Your fingerprint, your face. What are the risks you lost control of that feature? If you do, you normally have higher risks. Some of these can be mitigated (e.g. retina scanners that ensure blood is flowing, temperature sensors for fingerprints). But normally we consider these outside the scope.
Second, the thing you have. Your phone, a USB key. How do you lose this? Someone has to be physically near you. They break in to your house, etc. This pool of people is relatively small.
Third, the thing you know. If you use a different password on every site, then it comes down to keyloggers or single-site-breaches. If you share the password across sites, the risk goes up. The risk here is global, anyone, anywhere.
Now, lets examine the risks across these. The criminal gang somewhere that has purchased a dump of passwords from some old forum you used, they have no overlap with the burglar that stole your phone. And this is the key. Its not that each factor is e.g. 50% likely to be lost, so 2 factor is 1/4 likely to be lost. Its exponential, they are not correlated.
Multi-factor, as long as you use 2 of the above, is very strong, and very simple.
What to watch out for? Don’t get tricked into using 2 factors from the same category. A common error is using SMS, thinking its something you have (phone). But, actually, that SIM card in the phone is something you know… and, via sim-jacking, your phone number can be hijacked. Systems that use a password + pin… that is still just 2 things you know (same goes for personal verification questions).
What else to watch out for? lateral traversal. Multi-factor authentication is for all users, all environments. Its no something you use “outside the VPN”, or for “managers” or for “financial applications”. Don’t leave a door open for that criminal to wiggle in and walk sideways. Starve them.
I AM. I HAVE. I KNOW. The trifecta of simple and secure. Low cost, high return, all users, all applications.