Multi-Factor Authentication (MFA)
MFA stands for multi-factor authentication.
It is a security method that requires two or more authentication factors to verify access to an account, application, device, or system.
What it does
MFA adds extra protection on top of a password-only login.
Even if one factor is compromised, an attacker still has to satisfy at least one additional factor before access is granted.
Common examples include:
- A password plus an OTP code from an authenticator app
- A password plus a push approval
- A password plus a hardware security key
- A password plus a biometric check
Core concepts
Factor types
MFA usually combines factors from categories such as:
- Something you know, such as a password or PIN
- Something you have, such as a phone, authenticator app, or security key
- Something you are, such as a fingerprint or face scan
MFA vs 2FA
2FA is one kind of MFA.
2FA means exactly two factors are required. MFA is the broader category and can include two or more factors.
Why MFA matters
MFA reduces the risk of account takeover by making a stolen password less useful on its own.
This is especially important for email, admin access, finance tools, developer accounts, and other sensitive systems.
Common use cases
- Protecting work and personal accounts
- Securing admin panels, dashboards, and infrastructure access
- Protecting developer tools and cloud services
- Strengthening sign-in flows beyond password-only authentication
- Complementing password managers and good secret hygiene
Practical notes
- MFA is stronger than password-only authentication.
- Organizations should prefer phishing-resistant MFA when possible.
- 2FA is often the most common real-world MFA implementation.
- MFA works best alongside strong passwords, encryption, and good operational security.
Sources Used
- https://www.cisa.gov/MFA
- https://www.cisa.gov/resources-tools/resources/multi-factor-authentication-mfa
- https://www.cisa.gov/secure-our-world/require-multifactor-authentication
- https://www.nist.gov/publications/nist-sp-800-63-4-digital-identity-guidelines
Frequently Asked Questions
Is MFA the same as 2FA?
Not exactly. 2FA is a subtype of MFA that uses exactly two factors.
Is MFA always required to use biometrics?
No. A biometric can be one factor in an MFA flow, but biometrics can also be used in other authentication setups.
Is MFA worth using even if it adds friction?
Yes. For important accounts and systems, the security benefit usually outweighs the small amount of added login friction.