Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Multifactor Authentication (MFA)

Overview

Multifactor Authentication (MFA) is a security method where you prove who you are in more than one way before getting into an account or system. Instead of relying only on a password, MFA adds one or more extra “checks,” making it much harder for attackers to break in—even if they know your password.

In everyday terms: with MFA, a thief would need both your key and your phone (or fingerprint, or code) instead of just guessing or stealing your password.

The Three Main “Factors”

MFA combines at least two of these categories:

  • Something you know

    • Passwords, PINs, answers to security questions.

  • Something you have

    • Your phone, a hardware token (small security device), smart card, or a one‑time code generator.

  • Something you are

    • Fingerprint, face recognition, or other biometric data.

Two‑factor authentication (2FA) is a specific kind of MFA that uses exactly two of these; MFA in general can use two or more.

Common MFA Methods

Examples you’re likely to see:

  • One‑time codes via app

    • An authenticator app (like Microsoft Authenticator, Google Authenticator, or similar) generates short codes that change every 30–60 seconds.

  • Push notifications

    • A prompt appears on your phone asking “Are you trying to sign in?” and you tap Approve or Deny.

  • Text message (SMS) codes

    • A code is sent by text that you type in after your password. (Better than nothing, but weaker than app or hardware methods.)

  • Hardware security keys

    • Small physical devices (like USB or NFC keys) you plug in or tap to confirm your login.

  • Biometrics

    • Fingerprint or face scan to unlock apps or approve access.

Why MFA Matters for Security

Passwords alone are often weak:

  • People reuse them, choose simple ones, or fall for phishing scams.

  • Password databases can be leaked or stolen, and attackers can buy these lists.

MFA adds a second barrier:

  • Even if an attacker knows your password, they still need your phone, hardware key, or biometric approval.

  • This dramatically reduces successful account takeovers, including for email, banking, remote access, and admin accounts.

Business Benefits

For organizations, MFA:

  • Blocks many common attacks

    • Especially phishing‑based logins, credential stuffing (trying leaked passwords on many sites), and simple password guessing.

  • Protects high‑value accounts

    • Admins, executives, remote access (VPN), email, cloud dashboards, and finance/HR systems.

  • Supports compliance

    • Many regulations and industry standards now expect or require MFA for sensitive systems and remote access.

  • Reduces incident impact and costs

    • Fewer successful compromises means fewer breaches, fraud events, and recovery efforts.

Everyday User Experience

From a user’s perspective, MFA usually means:

  • Entering your username and password as usual.

  • Then confirming your identity with one extra step, such as:

    • Typing a 6‑digit code from an app or text.

    • Tapping “Approve” on a phone notification.

    • Plugging in or tapping a security key.

Many systems remember the device for a period (for example, “don’t ask again for 30 days” on a trusted computer), so you don’t have to do the extra step every single time.

Best Practices for Using MFA

For individuals and employees:

  1. Turn on MFA wherever it’s offered

    • Prioritize email, banking, password managers, cloud storage, social media, and work accounts.

  2. Prefer app or hardware‑based methods over SMS

    • Text messages can sometimes be intercepted or redirected; authenticator apps and hardware keys are generally stronger.

  3. Protect your second factor

    • Lock your phone with a PIN/biometric, don’t share your device, and keep hardware keys in a safe place.

  4. Never share MFA codes

    • Treat one‑time codes like passwords; don’t read them out over the phone or type them into links sent by email or text.

  5. Have backup options

    • Set up backup methods (backup codes, second device, or extra key) so you don’t get locked out if you lose your phone.

Common Pitfalls and Attacks Against MFA

Attackers still try to work around MFA:

  • Phishing that captures both password and code

    • Fake websites can immediately use your code to log in.

  • MFA fatigue / push bombing

    • Attackers flood you with approval prompts, hoping you’ll tap Approve just to make them stop.

  • SIM‑swap attacks

    • Criminals trick mobile carriers into moving your phone number to their SIM card and then receive your SMS codes.

Defenses against these:

  • Use phishing‑resistant methods when possible (like hardware security keys or advanced app‑based MFA that checks the website is genuine).

  • Never approve a login notification you didn’t start yourself.

  • If you get repeated prompts, deny them and report it to IT or security.

  • Consider moving away from SMS‑only MFA for critical accounts.