Multi-Factor Authentication Cheat Sheet
Covers MFA factor types, common protocols like TOTP and WebAuthn, and implementation guidance for adding MFA to an application.
2 PagesBeginnerFeb 10, 2026
Authentication Factor Types
The categories combined to form multi-factor authentication.
- Something you know- Password, PIN, security question
- Something you have- Hardware token, authenticator app, smart card, phone
- Something you are- Biometrics: fingerprint, face, iris
- Somewhere you are- Location-based signals, sometimes used as an additional risk factor
- True MFA- Requires factors from at least two different categories, not two of the same type
TOTP Generation (Python)
Generating a time-based one-time password, as used by authenticator apps.
python
import pyotp# Generate a new secret when enrolling a usersecret = pyotp.random_base32()# Provisioning URI for QR code (scan in Google Authenticator, etc.)totp = pyotp.TOTP(secret)uri = totp.provisioning_uri(name="user@example.com", issuer_name="SkillVeris")# Verify a code entered by the useris_valid = totp.verify("123456")
Common MFA Methods, Ranked by Strength
Relative security of different MFA delivery mechanisms.
- Hardware security keys (FIDO2/WebAuthn)- Strongest; phishing-resistant, cryptographic challenge-response
- Authenticator app (TOTP)- Strong; offline-generated codes, but still phishable via fake login pages
- Push notification- Convenient, vulnerable to MFA fatigue/push-bombing attacks if not paired with number matching
- SMS/voice OTP- Weakest; vulnerable to SIM swapping and SS7 interception, avoid for high-value accounts
Implementation Considerations
Practical points when adding MFA to a system.
- Backup codes- Provide one-time recovery codes in case the primary factor is unavailable
- Rate limiting- Throttle verification attempts to prevent brute-forcing OTP codes
- Time window tolerance- Allow a small clock drift window (e.g. ±1 step) when validating TOTP codes
- Number matching- Require the user to enter a displayed number in push notifications to defeat fatigue attacks
Pro Tip
Prefer FIDO2/WebAuthn security keys for admin and privileged accounts — unlike TOTP or SMS, the cryptographic challenge is bound to the origin domain, so it can't be phished by a lookalike login page.
Was this cheat sheet helpful?
Explore Topics
#MultiFactorAuthentication#MultiFactorAuthenticationCheatSheet#Cybersecurity#Beginner#AuthenticationFactorTypes#TOTPGenerationPython#MFA#Methods#Security#CheatSheet#SkillVeris