Multi-factor authentication (MFA)

TLDR; A security method in which access to a system or application is protected by a combination of at least two different authentication methods, e.g. a password and a fingerprint.

Multi-factor authentication (MFA) is a security method in which several independent authentication factors are used to verify a user's identity. These factors generally fall into three different categories:

  1. Knowledge: Something the user knows (e.g. password or PIN).
  2. Possession: Something that the user has (e.g. a mobile phone, a smartcard or a security token).
  3. Biometrics: Something that is the user (e.g. fingerprint, facial recognition or voiceprint).

How MFA works:

The login process typically requires the user to have at least two of the three factors mentioned above in order to gain access to an account or system. A common example of MFA is the combination of a password (knowledge) with a one-time code sent to a mobile phone (possession).

Protection by MFA:

MFA protects users in several ways:

  1. Increased security: As multiple authentication factors are required, it is more difficult for attackers to gain unauthorised access. Even if one factor (e.g. the password) is compromised, the other factors are still required to gain access.
  2. Reduce the impact of stolen passwords: Passwords can be stolen or guessed. However, with MFA, the password alone is not enough to gain access, reducing the risks of phishing, brute force attacks and data leaks.
  3. Protection against various attack methods: MFA protects against a variety of attack methods, including phishing, social engineering and man-in-the-middle attacks, as attackers require not only a password but also possession of a physical device or a biometric factor.
  4. Additional authentication for suspicious activities: Many MFA systems can trigger additional authentication requests if unusual or suspicious activity is detected, such as an attempt to log in from a new device or location.

Implementation of MFA:

MFA can be implemented in various ways:

  1. SMS- or e-mail-based codes: A one-time password (OTP) is sent to the user by SMS or e-mail, which must be entered together with the password.
  2. Authentication apps: Apps such as Google Authenticator, Microsoft Authenticator or Authy generate time-based one-time passwords (TOTP), which the user enters during the login process.
  3. Hardware token: Physical devices that generate one-time passwords or can be connected to the computer via USB, such as YubiKey.
  4. Biometric factors: Fingerprint scanners, facial recognition or voice recognition, which identify the user based on physical characteristics.
  5. Push notifications: A notification is sent to a mobile app, which the user can accept or reject to complete the authentication.


Multi-factor authentication (MFA) offers a robust security measure that goes far beyond the protection provided by a simple password. By using at least two independent authentication factors, the risk of unauthorised access is significantly reduced and security for users and organisations is strengthened.