What is Multi-Factor Authentication?
A security method that requires two or more different types of verification: something you know, something you have, or something you are.
Also known as: MFA
MFA combines multiple authentication factors to ensure that a compromised password alone isn't enough to access an account.
The Three Factors
- Something you know: Password, PIN, security question
- Something you have: Phone, security key, smart card
- Something you are: Fingerprint, face, voice
Factor Strength (best to worst)
- FIDO2/WebAuthn (hardware key or passkey) — phishing-proof
- TOTP (authenticator app) — strong, offline-capable
- Push notification (Duo, Microsoft Authenticator) — good but phishable
- SMS code — weak, vulnerable to SIM swapping and SS7
- Email code — weak, security depends on email account
- Security questions — terrible, answers are often guessable or public
The Golden Rule
Any MFA is better than no MFA. A hardware security key is best, but even SMS 2FA stops most automated attacks.
Related Terms
FIDO2
An open authentication standard that combines WebAuthn and CTAP protocols to enable passwordless and phishing-resistant login.
Time-Based One-Time Password (TOTP)
A two-factor authentication method that generates temporary codes based on the current time and a shared secret, used by apps like Google Authenticator.
Two-Factor Authentication
A security method requiring two different types of identification to access an account: something you know (password) plus something you have (phone, hardware key) or something you are (biometric). This significantly reduces the risk of unauthorized access even if your password is compromised.
Have more questions?
Use our guided flow to get the right next privacy step for Multi-Factor Authentication.
Open Guided Flow