What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security method that requires users to verify their identity with two or more independent forms of evidence before access is granted. These forms of evidence, called authentication factors, fall into three categories: something the user knows (such as a password or PIN), something the user has (such as a smartphone or security key), and something the user is (such as a fingerprint or face scan).

Learn about Duo MFA

How MFA works

Multi-factor authentication (MFA) is a security method that requires users to verify their identity with two or more independent forms of evidence before access is granted. These forms of evidence, called authentication factors, fall into three categories: something the user knows (such as a password or PIN), something the user has (such as a smartphone or security key), and something the user is (such as a fingerprint or face scan).

By requiring factors from at least two different categories, MFA helps organizations verify users before they can access critical systems and reduces the risk of relying on passwords alone. Even if a password is stolen, an attacker cannot complete the login without the additional factor.

According to the National Institute of Standards and Technology (NIST) Special Publication 800-63, Digital Identity Guidelines, higher assurance authentication is achieved when users prove control of more than one distinct authentication factor. This standard establishes MFA as a cornerstone of modern digital identity practice.

MFA is broader than two-factor authentication (2FA), which uses exactly two factors and is therefore a subset of MFA. MFA also works hand-in-hand with single sign-on (SSO): SSO improves productivity by letting users access multiple systems with one login, while MFA strengthens the sign-on process before SSO shares that authentication with approved applications. Within a broader identity and access management (IAM) program, MFA helps organizations enforce access policies based on user risk, application sensitivity, and compliance requirements.

The Three Factors of Authentication

Authentication FactorDescriptionExample
Something the user knowsInformation the user can remember and enter during sign-in.Password, PIN, or passphrase
Something the user hasA device or authenticator the user physically controls.Smartphone, security key, or one-time passcode
Something the user isA biometric trait unique to the user.Fingerprint or face scan

Why is multi-factor authentication needed?

As organizations digitize operations and take on greater liability for storing customer data, the risks and need for security increase. Because attackers have long exploited user login data to gain entry to critical systems, verifying user identity has become essential.

Authentication based on usernames and passwords alone is unreliable and unwieldy, since users may have trouble storing, remembering, and managing them across multiple accounts, and many reuse passwords across services and create passwords that lack complexity. Passwords also offer weak security because of the ease of acquiring them through hacking, phishing, and malware.

What are some examples of multi-factor authentication?

Cloud-based authenticator apps such as Duo are engineered to provide a smooth login experience with MFA. They are designed to integrate seamlessly within your security stack. With Duo, you can:

  • Verify user identities in seconds
  • Protect any application on any device, from anywhere
  • Add MFA to any network environment

How does multi-factor authentication work?

MFA requires means of verification that unauthorized users won't have. Since passwords are insufficient for verifying identity, MFA requires multiple pieces of evidence to verify identity. The most common variant of MFA is two-factor authentication (2FA). The theory is that even if threat actors can impersonate a user with one piece of evidence, they won't be able to provide two or more.

Proper multi-factor authentication uses factors from at least two different categories. Using two from the same category does not fulfill the objective of MFA. Despite wide use of the password/security question combination, both factors are from the knowledge category--and don't qualify as MFA. A password and a temporary passcode qualify because the passcode is a possession factor, verifying ownership of a specific email account or mobile device.

Is multi-factor authentication complicated to use?

Multi-factor authentication introduces an extra step or two during the login process, but it is not complicated. The security industry is creating solutions to streamline the MFA process, and authentication technology is becoming more intuitive as it evolves.

For example, biometric factors like fingerprints and face scans offer fast, reliable logins. New technologies that leverage mobile device features like GPS, cameras, and microphones as authentication factors promise to further improve the identity verification process. Simple methods like push notifications only require a single tap to a user's smart phone or smart watch to verify their identity.

How do organizations start using MFA?

Many operating systems, service providers, and account-based platforms have incorporated MFA into their security settings. For single users or small businesses, using MFA is as simple as going to settings for operating systems, web platforms, and service providers and enabling the features.

Larger organizations with their own network portals and complex user-management challenges may need to use an authentication app like Duo, which adds an extra authentication step during login.

How do MFA and single sign-on (SSO) differ?

MFA is a security enhancement, while SSO is a system for improving productivity by allowing users to use one set of login credentials to access multiple systems and applications that previously may have each required their own logins.

While SSO works in conjunction with MFA, it does not replace it. Companies may require SSO--so corporate email names are used to log in--in addition to multi-factor authentication. SSO authenticates users with MFA and then, using software tokens, shares the authentication with multiple applications.

What is adaptive authentication?

In adaptive authentication, authentication rules continuously adjust based on the following variables:

  • By user or groups of users defined by role, responsibility, or department
  • By authentication method: for example, to authenticate users via push notification but not SMS
  • By application: to enforce more secure MFA methods--such as push notification or Universal 2nd Factor (U2F)--for high-risk applications and services
  • By geographic location: to restrict access to company resources based on a user's physical location, or to set conditional policies restricting use of certain authentication methods in some locations but not others
  • By network information: to use network-in-use IP information as an authentication factor and to block authentication attempts from anonymous networks like Tor, proxies, and VPNs

Benefits of multi-factor authentication

Improved trust

The costs of hacking and phishing attacks can be high. Because MFA helps secure systems against unauthorized users—and their associated threats—the organization is more secure overall.

If organizations are hesitant to ask users to comply with tighter security, they should consider that users themselves—especially customers—may appreciate the extra security for their data. When customers trust a vendor's security protections, they are more likely to trust the organization overall, which means MFA becomes an important competitive advantage.

Reduced costs

Successful defenses against attacks can provide a return on investment that covers the expense of an MFA solution—for example, preventing a costly and damaging attack on network resources. Even without preventing attacks, MFA can save organizations money by allowing IT departments to deploy resources to protect other parts of networks from different threats.

Easier logins

As multi-factor authentication technology advances, making greater use of passive methods like biometrics and software tokens, it becomes more user-friendly. Easy-to-use MFA processes help users log in more quickly, so workers can be more productive.

In e-commerce, login problems can mean lost sales. User-friendly MFA processes that improve the user experience can help customers log in and, therefore, purchase products.

MFA methods

Knowledge

Knowledge—usually a password—is the most commonly used tool in MFA solutions. However, despite their simplicity, passwords have become a security problem and slow down productivity.

Users today have too many passwords; to ease their management, users create passwords that are not secure or that are used repeatedly across platforms. Another disadvantage is that the knowledge can be forgotten or, if stored somewhere, stolen.

The security question—another knowledge method in wide use but falling out of favor—requires the user to store the answer to a personal question in their profile and then enter it during login. This process is seen as onerous by many users because of the need for repeated data entry and storing and managing their answers.

The dynamic security question, which is more effective and user-friendly, typically asks for contextual information the user has access to, such as a recent financial transaction.

Physical

Physical factors—also called possession factors—use tokens, such as a USB dongle or a portable device, that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the advantage of being readily available in most situations.

On the plus side, physical factors are outside the network and usually difficult to spoof. But devices like phones can be lost or stolen, and mobile networks can present their own security vulnerabilities.

Virtual "soft" tokens are a cookie or piece of code stored in a way that effectively turns a device into a physical token. Soft tokens may not be suitable for all users since they require software and expertise to use properly. In addition, soft tokens can be copied, which could lead to unauthorized use.

The U2F standard combines a USB or near-field communication (NFC) token with an open-standard application, providing a simple way to use additional authentication factors with platforms that support them.

Inherent

This category includes biometrics like fingerprint, face, and retina scans. As technology advances, it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are reliably unique, always present, and secure, this category shows promise.

However, not all devices have the necessary software, processing power, and hardware features (such as microphones and cameras), so some users may not be able to take advantage of these advances in MFA usability and security.

Location-based and time-based

Authentication systems can use GPS coordinates, network parameters, and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these data points with historical or contextual user data.

These factors have the advantage of operating in the background, with very little input required of users, which means they don't impede productivity. However, since they require software and expertise to use, they are mostly suitable for large organizations with the resources to manage them.

Time-based one-time password (TOTP)

This is generally used in 2FA but could apply to any MFA method where a second step is introduced dynamically at login upon completing a first step. The wait for a second step—in which temporary passcodes are sent by SMS or email—is usually brief, and the process is easy to use for a wide range of users and devices. This method is currently widely used.

On the operational side, two-step authentication requires the use of software or an outside vendor to provide the service. As with the use of mobile devices as physical tokens, mobile networks can introduce their own security issues.

The security key is generally a QR code that the user scans with a mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes expire after a certain period of time, and a new one will be generated the next time a user logs in to an account.

Social media

In this case a user grants permission for a website to use their social media username and password for login. This provide an easy login process, and one generally available to all users.

But social media networks are often the target of online criminals because they provide a rich source of user data. In addition, some users may have concerns about the security and privacy implications of sharing logins with social media networks.

Risk-based authentication

Sometimes called adaptive multi-factor authentication, this method combines adaptive authentication and algorithms that calculate risk and observe the context of specific login requests. The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.

For users with many logins for various systems, risk-based authentication can be a key time-saver. However, it requires software that learns how users interact with a system and IT expertise to deploy and manage.

Push-based 2FA

Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security while improving ease of use. It confirms a user's identity with multiple factors of authentication that other methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi, users must have data access on their mobile devices to use the 2FA functionality.

Download multi-factor authentication evaluation guide

Optimal access security with Duo MFA

Download our free guide and discover Duo's customizable MFA solutions.

Frequently asked questions about MFA

Multi-factor authentication (MFA) is a security method that requires users to verify their identity with two or more independent forms of evidence before access is granted. These factors come from different categories—something the user knows, has, or is—so that a single stolen credential is not enough to complete a login. MFA is widely adopted across enterprise, cloud, and consumer applications to reduce the risk of unauthorized access.

Two-factor authentication (2FA) is the most common form of MFA and uses exactly two authentication factors. MFA is the broader category and can require two or more factors, depending on the application, user risk, and security policy. In short, all 2FA is MFA, but not all MFA is 2FA.

The three authentication factor categories are something the user knows, something the user has, and something the user is. Examples include passwords or PINs (knowledge), smartphones or security keys (possession), and fingerprints or face scans (inherence). Effective MFA requires factors from at least two different categories—using two factors from the same category, such as a password and a security question, does not qualify.

Many regulations and frameworks require or strongly recommend MFA for access to sensitive systems and data. Examples include PCI DSS for payment card data, HIPAA for healthcare information, and various federal and state data protection rules. Specific requirements depend on the standard, the industry, and the environment, so organizations should review their applicable regulations to confirm MFA scope.

Yes—MFA can be bypassed if it is poorly implemented or if users approve fraudulent authentication requests, a tactic known as MFA fatigue or push-bombing. Common attack methods include phishing, SIM swapping, and intercepting one-time codes sent over SMS. Organizations can reduce this risk by using phishing-resistant factors such as security keys, applying adaptive policies based on context, requiring user verification on push notifications, and monitoring for unusual sign-in patterns.