100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Multi-Factor Authentication (MFA)

BeginnerConcept2.6K learners

Multi-Factor Authentication (MFA) is a security method that requires users to verify their identity using two or more independent factors — typically something they know, something they have, and something they are — before granting access…

Definition

Multi-Factor Authentication (MFA) is a security method that requires users to verify their identity using two or more independent factors — typically something they know, something they have, and something they are — before granting access to an account or system.

Overview

Passwords alone are a weak security control: they can be guessed, phished, reused across sites, or leaked in a data breach. MFA addresses this by requiring an additional proof of identity beyond a password, so that a stolen password alone is not enough for an attacker to gain access. MFA factors generally fall into three categories: knowledge factors (a password or PIN), possession factors (a phone, hardware token like a Yubikey, or authenticator app), and inherence factors (biometrics such as a fingerprint or face scan). True multi-factor authentication combines factors from at least two of these categories; using two passwords, for example, would not count as MFA. Common implementations include push notifications approved on a mobile app (used by Duo Security), time-based one-time passcodes (TOTP), SMS codes, and phishing-resistant FIDO2/WebAuthn hardware keys. MFA is a core building block of modern identity security and is closely tied to Single Sign-On (SSO), where a single, strongly-verified login grants access to many downstream applications. It also underpins Zero Trust architectures, where every access request is continuously verified rather than trusted based on network location alone. Regulatory frameworks including PCI DSS, HIPAA, and SOC 2 increasingly mandate MFA for accessing sensitive systems, and most major breaches investigated by security researchers trace back, at least in part, to accounts that lacked it. As a result, MFA is widely regarded as one of the highest-value, lowest-cost security controls an organization can deploy.

Key Concepts

  • Combines two or more independent verification factors: knowledge, possession, and inherence
  • Common methods include push notifications, TOTP codes, SMS, and hardware keys
  • Phishing-resistant options (FIDO2/WebAuthn) bind authentication to the specific website domain
  • Frequently paired with Single Sign-On to secure one strong login point
  • Adaptive/conditional MFA can factor in device trust, location, and risk level
  • Required by many compliance frameworks including PCI DSS and HIPAA
  • Dramatically reduces the success rate of credential-stuffing and phishing attacks

Use Cases

Protecting employee logins to email, VPNs, and internal applications
Securing consumer accounts for banking, email, and social media
Meeting compliance requirements for handling payment or health data
Adding step-up verification for high-risk actions like password resets or large transactions
Reducing account-takeover risk after a password data breach
Enforcing stronger authentication for privileged/administrator accounts

Frequently Asked Questions

From the Blog