MFA stands for Multi-Factor Authentication. It’s a sign-in method that requires more than just a password (a single factor). With multi-factor authentication, two or more verification methods are combined. Two-factor authentication (2FA) is a common form of MFA.
What the “factors” mean (for verification)
- Something you know — password, PIN, security question.
- Something you have — mobile phone, authenticator app, hardware token, smart card.
- Something you are — biometrics (fingerprint, face recognition, retina/iris scan).
Examples of multi‑factor authentication:
- Email sign‑in: enter your password (factor 1) and then a code from an authenticator app (e.g., Microsoft Authenticator, Google Authenticator) on your phone (factor 2).
- Online banking: password + approve a push notification in a mobile banking app or enter a one-time code sent via SMS (text message).
In short
- MFA = a little less convenient than passwords alone, but much more secure and less dependent on user discipline.
- Improves protection against account takeover and identity theft.
- Reduces the risk of successful attacks if passwords are phished or leaked.
- Now standard in banking, cloud apps (Microsoft 365, Google Workspace), and business systems for small and mid-sized businesses (SMBs).
What are the most common MFA factors used by businesses?
SMS or voice call with a one-time passcode (OTP)
- The user gets a one-time code by text message (SMS) or an automated phone call and types it in.
- Pros: simple to roll out; almost everyone has a cell phone.
- Cons: at risk from SIM swap, SMS interception, and man-in-the-middle attacks.
Authenticator app / mobile app generating a code or push notification
- Examples: Microsoft Authenticator, Google Authenticator, Duo Mobile. These create time-based one-time codes (TOTP) or send a push prompt like “Approve sign-in?”.
- Pros: stronger than SMS; often more resistant to phishing.
- Cons: needs a smartphone and app; risk if the device is lost or replaced.
Hardware tokens / security keys / smart cards
- A physical security device the user carries, like a USB security key (e.g., YubiKey) or an employee smart card/badge.
- Pros: very strong security; hard to compromise remotely.
- Cons: higher cost and inventory management; users must keep it with them.
Biometrics (fingerprint, facial recognition, voice)
- A “something you are” factor, such as a fingerprint, face scan, or iris scan.
- Pros: convenient for users; unique to each person.
- Cons: privacy concerns; cannot be changed if exposed (unlike a password).
Push notifications / sign-in approval (on mobile)
- The user receives a prompt: “Are you trying to sign in from …? YES / NO.” Approving acts as the second factor.
- Pros: very convenient; usually just tap “YES.”
- Cons: vulnerable to “MFA fatigue” (spamming prompts until a user approves).