Multi-Factor Authentication(MFA)

A security mechanism that requires users to provide two or more independent verification factors — something they know (password), something they have (phone/key), or something they are (biometrics) — to prove their identity.

What Is MFA?

Multi-Factor Authentication (MFA) adds security beyond passwords by requiring additional proof of identity. Even if an attacker steals a password, they can't access the account without the second factor.

Authentication Factors

| Factor Type | Description | Examples | |---|---|---| | Knowledge | Something you know | Password, PIN, security questions | | Possession | Something you have | Phone, hardware security key, smart card | | Inherence | Something you are | Fingerprint, face recognition, voice | | Location | Where you are | GPS, IP geolocation, network | | Behavior | How you act | Typing patterns, mouse movement |

MFA requires at least two different factor types. Two passwords would not qualify as MFA (both are knowledge factors).

MFA Methods Ranked by Security

From strongest to weakest:

  1. FIDO2/WebAuthn (Passkeys) — Phishing-resistant, hardware-bound credentials
  2. Hardware Security Keys (YubiKey) — Physical device, phishing-resistant
  3. Platform Authenticators — Built-in biometrics (Touch ID, Windows Hello)
  4. Authenticator Apps (TOTP) — Time-based codes from apps like Google Authenticator
  5. Push Notifications — Approve/deny on mobile device (vulnerable to push fatigue attacks)
  6. SMS/Voice — One-time codes via text or call (vulnerable to SIM swap attacks)

MFA and Zero Trust

MFA is a foundational requirement for Zero Trust architecture. Modern approaches go beyond simple MFA to adaptive/risk-based authentication that adjusts requirements based on context:

  • New device? → Require MFA
  • Unusual location? → Step up to stronger factor
  • Sensitive application? → Always require hardware key
  • Low-risk action from known device? → Allow password-only

Passwordless Authentication

The industry is moving toward passwordless authentication that eliminates passwords entirely, using passkeys (FIDO2), biometrics, or certificate-based authentication. This improves both security (no password to phish) and user experience (no password to remember).

MFA in Enterprise

When evaluating MFA for your organization, consider:

  1. Phishing resistance — FIDO2/WebAuthn support
  2. User experience — Minimize friction for legitimate users
  3. Coverage — MFA for all applications, not just SSO
  4. Adaptive policies — Risk-based authentication rules
  5. Recovery — Secure account recovery when factors are lost

Related on CyberSecTool

Buying guides

Related tools