What is MFA (multifactor authentication)?

Many internet users are familiar with the most common form of MFA, two-factor authentication (2FA). Two-factor authentication asks for only two pieces of evidence, but some MFA implementations ask for three or more.

For example, to log in to an email account protected by MFA, a user might need to enter the correct account password (the first factor) and a single-use passcode the email provider sends to the user’s mobile phone in a text message (the second factor). For an especially sensitive account, a third piece of evidence—such as possession of a hardware key—might be required.

The user can access the system only if every required factor checks out. If anything is wrong, the login attempt will fail.

MFA methods are used to access all kinds of sensitive accounts, assets and systems. They even appear offline: Using a bank card (the first piece of evidence) and PIN (the second piece of evidence) to withdraw cash from an ATM is a form of MFA.

MFA has become an increasingly important piece of corporate identity and access management (IAM) strategies. Standard single-factor authentication methods rely on usernames and passwords, which are easy to steal or hack. In fact, compromised credentials are the most common cause of data breaches, according to IBM's Cost of a Data Breach report.

MFA systems add an extra layer of security by requiring more than one piece of evidence to confirm a user's identity. Even if a hacker steals a password, they do not have enough to gain unauthorized access to a system. They still need that second factor.

Furthermore, the second factor is often something much harder to crack than a simple password, such as a fingerprint scan or a physical security token.

In an MFA system, users need at least two pieces of evidence, called "authentication factors," to prove their identities. MFA systems can use multiple types of authentication factors, and true MFA systems use at least two different types of factors.

Using different types of factors is considered more secure than using multiple factors of the same type because cybercriminals need to use separate methods across different channels to crack each factor.

For example, hackers might steal a user's password by planting spyware on a victim’s computer. Yet that spyware wouldn't pick up any one-time passcodes sent to the user's smartphone, nor would it copy the user's fingerprint. Attackers would need to intercept the SMS message carrying the passcode or hack the fingerprint scanner to gather all the credentials they need.

The types of authentication factors include:

• Knowledge factors
• Possession factors
• Inherent factors
• Behavioral factors

Knowledge factors are pieces of information that, theoretically, only the user would know, such as passwords, PINs and answers to security questions. Knowledge factors, usually passwords, are the first factor in most MFA implementations.

However, knowledge factors are also the most vulnerable authentication factors. Hackers can obtain passwords and other knowledge factors through phishing attacks, installing malware on users' devices or staging brute-force attacks in which they use bots to generate and test potential passwords on an account until one works.

Other types of knowledge factors are also vulnerabilities. Answers to many security questions—such as the classic "What is your mother's maiden name?"—can be cracked through basic social media research or social engineering attacks that trick users into divulging personal information.

The common practice of requiring a password and a security question is not true MFA because it uses two factors of the same type—in this case, two knowledge factors. Rather, this would be an example of a two-step verification process. Two-step verification provides some additional security because it requires more than one factor, but it's not as secure as true MFA.

Possession factors are things a person owns that they can use to prove their identity. Possession factors include both digital software tokens and physical hardware tokens.

More common today, software tokens are digital security keys stored on or generated by a device the user owns, typically a smartphone or other mobile device. With software tokens, the user's device acts as the possession factor. The MFA system assumes that only the legitimate user would have access to the device and any information on it.

Software security tokens can take many forms, from digital certificates that automatically authenticate a user to one-time passwords (OTPs) that change every time a user logs on.

Some MFA solutions send OTPs to the user's phone by SMS, email or call. Other MFA implementations use authenticator apps: specialized mobile apps that continuously generate time-based one-time passwords (TOTPs). Many TOTPs expire in 30–60 seconds, making them difficult to steal and use before time runs out and the password is obsolete.

Some authenticator apps use push notifications rather than TOTPs. When a user tries to log in to an account, the app sends a push notification directly to the iOS or Android operating system of the user's device. The user must tap the notification to confirm the login attempt.

Common authenticator apps include Google Authenticator, Microsoft Authenticator and LastPass Authenticator.

Other authentication systems use dedicated pieces of hardware that act as physical tokens. Some physical tokens plug into a computer's USB port and transmit authentication information automatically to apps and sites. Other hardware tokens are self-contained devices that generate OTPs on demand.

Hardware tokens might also include more traditional security keys, such as a fob that opens a physical lock or a smart card that a user must swipe through a card reader.

The main advantage of possession factors is that malicious actors must have the factor in their possession to impersonate a user. Often, that means stealing a physical smartphone or security key. Furthermore, OTPs expire after a set amount of time. Even if hackers steal one, there is no guarantee it will work.

But possession factors are not foolproof. Physical tokens can be stolen, lost or misplaced. Digital certificates can be copied. OTPs are harder to steal than traditional passwords, but they are still susceptible to certain types of malware, spear phishing scams or man-in-the-middle attacks.

Hackers can also use more sophisticated means. In a SIM cloning scam, attackers create a functional duplicate of the victim's smartphone's SIM card, enabling them to intercept passcodes sent to the user’s phone number.

MFA fatigue attacks take advantage of MFA systems that use push notifications. Hackers flood the user's device with fraudulent notifications in the hopes that the victim will accidentally confirm one, allowing the hacker into their account.

Also called “biometrics,” inherent factors are physical traits unique to the user, such as fingerprints, facial features and retina scans. Many smartphones and laptops come with face scanners and fingerprint readers, and many apps and websites can use this biometric data as an authentication factor.

While inherent factors are among the most difficult to crack, it can be done. For example, security researchers found a way to hack the Windows Hello fingerprint scanners on certain laptops. The researchers were able to replace registered users' fingerprints with their own, effectively granting them control of the devices.

Advances in artificial intelligence (AI) image generation also raise concerns for cybersecurity experts, as hackers might use these tools to trick facial recognition software.

When biometric data is compromised, it can't be changed quickly or easily, making it difficult to stop attacks in progress and regain control of accounts.

Behavioral factors are digital artifacts that help verify a user's identity based on behavioral patterns, such as the user's typical IP address range, location and average typing speed.

For example, when logging in to an app from a corporate virtual private network (VPN), a user might only need to supply one authentication factor. Their presence on the trusted VPN counts as the second factor.

Similarly, some systems allow users to register trusted devices as authentication factors. Whenever the user accesses the system from the trusted device, the use of the device automatically functions as the second factor.

While behavioral factors offer a sophisticated way to authenticate users, hackers can still impersonate users by copying their behavior.

For example, if a hacker gains access to a trusted device, they can use it as an authentication factor. Likewise, attackers can spoof their IP addresses to make it look as if they are connected to the corporate VPN.

Adaptive MFA uses adaptive authentication, also called “risk-based authentication.” Adaptive authentication systems use AI and machine learning (ML) to evaluate user activity and dynamically adjust authentication challenges. The riskier a situation is, the more authentication factors the user must supply.

For example, if a user tries to log in to a low-level app from a known device on a trusted network, they might need to enter only a password.

If that same user tries to log in to that same app from an unsecured public wifi connection, they might be required to supply a second factor.

If the user tries to access especially sensitive information or alter critical account information, they might need to provide a third or even a fourth factor.

Adaptive authentication systems can help organizations address some of the most common challenges of MFA implementations. For example, users might resist MFA because they find it less convenient than a simple password. Adaptive MFA makes it so that users only need multiple factors for sensitive situations, improving the user experience.

For an organization, different assets and parts of the network might call for different levels of security. Requiring MFA for every app and activity might produce a bad user experience with little security benefit.

Adaptive authentication systems enable organizations to define more granular access management processes based on the users, activities and resources involved, instead of applying a one-size-fits-all solution.

That said, adaptive systems might require more resources and expertise to maintain than a standard MFA solution.

Passwordless MFA systems only accept possession, inherent and behavioral factors—not knowledge factors. For example, asking a user for a fingerprint together with a physical token would constitute passwordless MFA.

Passkeys, such as those based on the popular FIDO standard, are one of the most common passwordless forms of authentication. They use public key cryptography to verify a user’s identity.

Passwordless MFA does away with knowledge factors because they are the easiest factors to compromise. While most current MFA methods use passwords, industry experts anticipate an increasingly passwordless future. Organizations including Google, Apple, IBM and Microsoft offer passwordless authentication options.

Organizations use authentication systems to protect user accounts from these attacks. However, in the most basic authentication systems, a password is all it takes to gain access, which is not much more secure than, “Charlie sent me.”

According to IBM's Cost of a Data Breach report, compromised credentials and phishing are the two most common cyberattack vectors behind data breaches. Together, they account for 31% of breaches. Both vectors often work by stealing passwords, which hackers can use to hijack legitimate accounts and devices to wreak havoc.

Hackers target passwords because they're easy to crack through brute force or deception. Furthermore, because people reuse passwords, hackers can often use a single stolen password to break into multiple accounts. The consequences of a stolen password can be significant for users and organizations, leading to identity theft, monetary theft, system sabotage and more.

MFA adds an extra layer of protection to user accounts, helping to thwart unauthorized access by putting more obstacles between attackers and their targets. Even if hackers can steal a password, they need at least one more factor to get in.

MFA can also help organizations meet compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) explicitly requires MFA for systems that handle payment card data.

Other data privacy and security regulations, such as the Sarbanes-Oxley (SOX) Act and the General Data Protection Regulation (GDPR), don't explicitly require MFA. Still, MFA systems can help organizations meet the strict security standards these laws set.

In some instances, organizations have been compelled to adopt MFA in the wake of data breaches. For example, the Federal Trade Commission ordered the online alcohol seller Drizly to implement MFA following a breach that affected 2.5 million customers.¹

Single sign-on (SSO) is an authentication scheme that enables users to log in to multiple applications by using a single set of credentials. While SSO and MFA both deal with authentication, they serve fundamentally different purposes: MFA enhances security while SSO is designed for ease of use.

SSO is often used within organizations where staff members must access multiple services or apps to do their jobs. Requiring users to create separate accounts for each app can lead to password fatigue—that is, the stress associated with remembering an unreasonable number of logins.

SSO enables people to use a single login for multiple applications, improving the user experience.

MFA doesn't necessarily address the user experience issue, but it does add extra layers of security to the login process.

MFA and SSO are related and complementary in that modern SSO systems often require MFA, helping ensure that sign-on is both convenient and relatively secure.

The difference between 2FA and MFA is that 2FA uses exactly two factors, while MFA might require two, three or even more factors—depending on the level of security needed. 2FA is a type of MFA.

Most MFA applications use 2FA because two factors are often sufficiently secure. However, organizations might require additional factors to prove an identity before granting access to highly sensitive information such as financial data or files containing personally identifiable information (PII).