Multi-Factor Authentication (MFA)
MFA requires two or more independent verification factors, so a stolen password alone cannot grant access.
Multi-factor authentication (MFA) strengthens login security by requiring more than one form of proof of identity. Instead of a password alone, the user must present at least two independent factors from different categories, so a stolen password is not enough to gain access.
How It Works
Authentication factors fall into three categories: something you know (a password or PIN), something you have (a phone, hardware key, or authenticator app), and something you are (a fingerprint, face, or other biometric). MFA combines factors from at least two categories.
Common second factors include time-based one-time passwords (TOTP) from authenticator apps, push notifications, and hardware security keys using the FIDO2 and WebAuthn standards. SMS codes are still used but are weaker due to SIM-swapping and interception. Phishing-resistant methods such as passkeys and hardware keys are now preferred.
MFA is often enforced at the identity provider, so it applies across all applications connected through single sign-on. Adaptive MFA prompts for a second factor only when risk signals warrant it.
Why It Matters
Passwords are routinely stolen through phishing, breaches, and reuse. MFA blocks the vast majority of account-takeover attacks because the attacker would also need the second factor. Studies consistently show MFA prevents the large majority of automated credential attacks.
MFA is a core control in zero-trust architectures and a requirement in many compliance frameworks. The trade-off is user friction, which phishing-resistant passkeys help reduce while improving security.
Related Terms
MFA is commonly enforced through single sign-on and identity protocols like OpenID Connect and OAuth. It is a pillar of zero trust and complements least privilege.