Multi-Factor Authentication
MFA.
A security control requiring at least two independent factors from distinct categories (knowledge, possession, inherence) to authenticate a user.
Microsoft published data shows 99.9% of compromised accounts lacked MFA (Microsoft Security Intelligence, 2023), the single highest-leverage CIAM control. The 2026 best practice is adaptive MFA (challenge only on risky signal) plus phishing-resistant factors (passkeys preferred over OTP-class factors), with default-on enrollment at registration to capture the majority of adoption.
Common questions
Is SMS OTP still acceptable for MFA in 2026?
It is better than nothing but is the weakest common factor. SMS codes are phishable and vulnerable to SIM-swap and interception, and NIST has discouraged them since 2017. Use SMS only as a fallback; prefer TOTP apps or, better, passkeys for phishing-resistant MFA.
What is adaptive MFA?
Adaptive, or risk-based, MFA varies the authentication requirement based on signals such as device, location, IP reputation, and behavior. A login from a known device on a trusted network may pass with just a password, while an anomalous one is challenged for a second factor. It cuts friction for low-risk logins without lowering the security ceiling.
Do passkeys count as MFA?
A passkey is inherently multi-factor in a single step: it combines something you have, the device holding the private key, with something you are or know, the biometric or PIN that unlocks it. So a passkey satisfies MFA on its own, which is why it both strengthens security and removes the second-prompt friction of password-plus-OTP.
Related terms
In the guides
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Passwordless Authentication: A 2026 Practitioner's Guide
How passkeys, magic links, and biometrics replace passwords in CIAM, with implementation patterns, adoption data, and vendor support.