We are always insisting that our clients always use multi-factor authentication (MFA) for absolutely every service they use. It is a prerequisite of any client we manage Microsoft 365 for that MFA is activated and enforced for everyone of their users.
Multi-factor authentication (MFA) is also referred to as dual-factor authentication (DFA) and two factor authentication (2FA). All have the same function to securely provide a one time password (OTP), only to the authorised user, so they can get access to a service. Examples of services that implement MFA for added security are; Microsoft 365, Google, WordPress and Amazon among many, many others.
However, of course, there are ways that hackers exploit MFA to gain unauthorised access to takeover accounts.
Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA | Ars Technica
Here is an article by Roger Grimes (sourced via Schneier on Security) looking at some of the issues with MFA:
Why Is the Majority of Our MFA So Phishable? Roger Grimes | LinkedIn
This does not however mean you should not use MFA whenever possible – just that you also need to have other processes in place to enhance your security.
A Quick overview of MFA:
Multifactor Authentication | MFA | Microsoft Security