Skip to content

Identity term · last reviewed 2026-07-07

MFA

Also known as: Multi-Factor Authentication, 2FA, Two-Factor Authentication

MFA (Multi-Factor Authentication) requires two or more independent factors (something you know, have, or are) to prove identity, so a stolen password alone cannot log an attacker in.

How it works

MFA (Multi-Factor Authentication) requires a user to present two or more independent factors to prove identity, drawn from different categories: something you know (a password), something you have (a phone, a security key, a passkey), and something you are (a biometric). The independence is the point: a stolen password alone is not enough to log in, because the attacker also needs the second factor. Common second factors include TOTP authenticator apps, push approvals, hardware security keys, and increasingly passkeys, which fold strong authentication into a single phishing-resistant step.

When it matters

MFA matters everywhere credentials can be phished or leaked, which is everywhere. It is the single highest-leverage account-security control, and most compliance regimes now expect it. For consumer products, the art is adding MFA without adding friction to the 99% of logins that are fine, which is why risk-based step-up and passkeys are winning. Enterprises enforce MFA at their identity provider as part of SSO. See What Is CIAM and Implement Passkeys / WebAuthn.

Common misconceptions

  • "SMS MFA is strong." SMS is better than nothing but vulnerable to SIM-swap and interception. Prefer app-based or hardware factors, and passkeys where possible.
  • "MFA stops all account takeover." Push-fatigue and real-time phishing proxies defeat weak MFA. FIDO2 and passkeys are phishing-resistant; OTPs are not.
  • "MFA and 2FA are different things." 2FA is MFA with exactly two factors; MFA is the general term.
← All terms