100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Multi-Factor Authentication Cheat Sheet

Multi-Factor Authentication Cheat Sheet

Covers MFA factor types, common protocols like TOTP and WebAuthn, and implementation guidance for adding MFA to an application.

2 PagesBeginnerFeb 10, 2026

Authentication Factor Types

The categories combined to form multi-factor authentication.

  • Something you know- Password, PIN, security question
  • Something you have- Hardware token, authenticator app, smart card, phone
  • Something you are- Biometrics: fingerprint, face, iris
  • Somewhere you are- Location-based signals, sometimes used as an additional risk factor
  • True MFA- Requires factors from at least two different categories, not two of the same type

TOTP Generation (Python)

Generating a time-based one-time password, as used by authenticator apps.

python
import pyotp# Generate a new secret when enrolling a usersecret = pyotp.random_base32()# Provisioning URI for QR code (scan in Google Authenticator, etc.)totp = pyotp.TOTP(secret)uri = totp.provisioning_uri(name="user@example.com", issuer_name="SkillVeris")# Verify a code entered by the useris_valid = totp.verify("123456")

Common MFA Methods, Ranked by Strength

Relative security of different MFA delivery mechanisms.

  • Hardware security keys (FIDO2/WebAuthn)- Strongest; phishing-resistant, cryptographic challenge-response
  • Authenticator app (TOTP)- Strong; offline-generated codes, but still phishable via fake login pages
  • Push notification- Convenient, vulnerable to MFA fatigue/push-bombing attacks if not paired with number matching
  • SMS/voice OTP- Weakest; vulnerable to SIM swapping and SS7 interception, avoid for high-value accounts

Implementation Considerations

Practical points when adding MFA to a system.

  • Backup codes- Provide one-time recovery codes in case the primary factor is unavailable
  • Rate limiting- Throttle verification attempts to prevent brute-forcing OTP codes
  • Time window tolerance- Allow a small clock drift window (e.g. ±1 step) when validating TOTP codes
  • Number matching- Require the user to enter a displayed number in push notifications to defeat fatigue attacks
Pro Tip

Prefer FIDO2/WebAuthn security keys for admin and privileged accounts — unlike TOTP or SMS, the cryptographic challenge is bound to the origin domain, so it can't be phished by a lookalike login page.

Was this cheat sheet helpful?

Explore Topics

#MultiFactorAuthentication#MultiFactorAuthenticationCheatSheet#Cybersecurity#Beginner#AuthenticationFactorTypes#TOTPGenerationPython#MFA#Methods#Security#CheatSheet#SkillVeris