Multi-factor authentication adds a second verification step. It improves security, but users should still verify where and why a prompt appeared.
A verification request should follow an action you intentionally started. An unexpected code may indicate someone else attempted access.
Enter a code only into the verified official service. Do not read it aloud to an unsolicited caller.
Do not approve repeated or unexpected push prompts. Report suspicious prompts through official channels.
Keep verification devices locked, updated, and under your control.
If a device is lost or replaced, follow the organization's authorized recovery process.