What Is Multi-factor Authentication (MFA)?

August 7, 2017

Multi-factor authentication (MFA) is used to ensure that digital users are who they say they are, while balancing enhanced security with convenience. Unlike typical single-factor authentication, MFA requires users to prove their identity by providing at least two pieces of evidence across three main categories: what you know, what you have and what you are.


If one of the factors has been compromised by a hacker or unauthorized user, the chances of another factor also being compromised are low, so requiring multiple authentication factors provides a higher level of assurance about the user's identity.


Why is multi-factor authentication important?

Passwords may reign supreme as the most common way to authenticate your online identity, but they increasingly provide very little protection.


Hackers use an alarming variety of phishing attacks, brute force attacks, web app attacks and point of sale intrusions to steal passwords and wreak serious havoc. According to Verizon's 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen and/or weak passwords.


Users often make it easier for hackers by choosing weak passwords, using the same password for multiple applications, and keeping the same password for long periods of time. These practices may help them remember their logins, but they invite hackers in through the front door.


Multi-factor authentication provides a layer of protection for both employees and customers that addresses all of these weaknesses. It mitigates the ripple effect of compromised credentials by requiring additional evidence that you are who you say you are.

How does multi-factor authentication work?

A user's credentials must come from at least two of three different categories, or factors. Two-factor authentication, or 2FA, is a subset of MFA where only two credentials are required, but MFA can use any number of factors.

What you know

The most common example of this factor is, of course, the password, but it could also take the form of a PIN, or even a passphrase--something only you would know.


Some organizations may also set up knowledge-based authentication like security questions (e.g., "What is your mother's maiden name?"), but basic personal information can often be discovered or stolen through research, phishing and social engineering, making it less than ideal as an authentication method on its own.

What you have

It's much less likely that a hacker has stolen your password and stolen something physical from you, so this factor confirms that you are in possession of a specific item. This category includes mobile phones, physical tokens, key fobs and smartcards.


There are a few ways that this authentication works, depending on the item, but some common methods include confirming via text message or pop-up notifications from your mobile phone, typing in a unique code generated by a physical token, or inserting a card (e.g., at an ATM).

What you are

This factor is commonly verified by a fingerprint scan, but also includes anything that would be a unique identifier of your physical person--a retinal scan, voice or facial recognition, and any other kind of biometrics.

When to use multi-factor authentication

Some organizations may want to set up multi-factor authentication for all users, employees and customers alike. It's especially effective when combined with a single sign-on (SSO) solution, which removes many passwords from the equation, strengthening security even further and improving the user experience.


That said, an organization may only need the higher level of assurance that MFA provides for high-value transactions or high-risk situations. In this way, you can balance end user convenience with the stronger security provided by MFA when needed. For example:


  • A bank may allow a customer to log into his online account with just a username and password, but require a second authentication factor before transactions can be approved.
  • An organization may want a higher level of assurance that an employee is who she claims to be when accessing an HR application from a coffee shop or other off-domain location.
  • A retailer may set up MFA to kick in when a vendor logs into their portal from a new device, to make sure it's not a hacker trying to get in with a stolen password.


This kind of multi-factor authentication is called contextual, adaptive or risk-based MFA. The beauty of using contextual MFA is that it can strengthen security only when warranted, and these requirements or use cases can easily change and evolve over time.


A good MFA strategy will carefully balance the risks of compromised credentials against the impact on employee productivity or customer experience when determining MFA requirements. Striking a balance between security and convenience is especially important for customer-facing MFA, as customers can easily abandon a clunky experience or unsecured channels. The best modern MFA solutions enable a relatively frictionless user experience through multiple authentication options and integrate seamlessly into existing applications.

Moving beyond passwords with MFA

Given the magnitude of costs associated with a typical breach--not to mention the lost revenue and residual damage to your company's reputation--relying on passwords alone to secure critical data and systems is a big risk. Multi-factor authentication provides a stronger level of security by requiring more evidence of a person's true identity. And a contextual MFA solution, strategically implemented, can provide the necessary security without sacrificing usability.

To learn more, please read our Ultimate Guide to Enterprise User Authentication.