MFA (Multi-Factor Authentication) requires at least two independent proofs of identity: something you know (password), something you have (smartphone, hardware token), or something you are (fingerprint). Even if an attacker obtains your password, the second factor blocks access. MFA is one of the most effective controls against credential-based attacks and is required by ISO 27001 Annex A.8.5 and NIS2 Art. 21. Prefer phishing-resistant methods like FIDO2/WebAuthn over SMS-based codes. In your ISMS, MFA should be mandatory for all administrative access, VPN connections, and cloud services.