Multi-Factor Authentication

Multi-factor authentication (MFA) is an authentication method that requires two or more independent verification factors to grant access to a system. MFA is one of the most effective and cost-efficient security measures against account takeover, blocking over 99% of automated attacks.

Back to Dictionary

What is MFA?

Multi-factor authentication (MFA), also called two-factor authentication (2FA) when exactly two factors are involved, is a security method that requires the user to prove their identity in two or more independent ways before access is granted.

The key advantage of MFA is that even if an attacker knows or steals a user's password, they still cannot log in without access to the additional factor. Microsoft reports that MFA blocks over 99.9% of automated attacks on accounts.

The three authentication factors

Authentication is based on three categories of factors:

Something you know: Password, PIN or answer to a security question.
Something you have: Smartphone (authenticator app, SMS code), hardware key (YubiKey), smart card.
Something you are: Fingerprint, facial recognition, iris scan (biometrics).

To constitute genuine multi-factor authentication, factors from at least two of these categories must be combined. A password plus a PIN is not MFA, as both are 'something you know'.

Types of MFA

The most common MFA methods are:

Authenticator app (TOTP): Apps such as Microsoft Authenticator or Google Authenticator generate time-based one-time passwords. Considered more secure than SMS.
SMS codes: One-time codes sent via SMS. Widely used, but vulnerable to SIM-swap attacks.
Push notifications: The authenticator app prompts for approval via a notification.
Hardware keys (FIDO2/WebAuthn): Physical USB/NFC keys. The strongest and phishing-resistant MFA method.
Biometrics: Fingerprint and facial recognition, typically used on mobile devices.

Prioritise MFA for privileged accounts: If prioritisation is necessary, MFA should first be enabled for administrator accounts, email accounts and systems with access to sensitive data. These accounts are the most attractive targets for attackers.

When is MFA required?

MFA is explicitly required in several regulatory contexts: PSD2 requires strong customer authentication for payments, NIS2 and DORA require strong authentication for critical systems, and ISO 27001 Annex A control 8.5 on secure authentication points towards MFA as best practice. GDPR requires "appropriate" security, and for systems processing personal data, MFA is increasingly regarded as a necessity.

Frequently Asked Questions about Multi-Factor Authentication

What is multi-factor authentication (MFA)?

MFA is an authentication method that requires two or more independent verification factors — from different categories such as something you know, something you have and something you are — before granting access to a system.

What are the three authentication factors?

The three categories are: something you know (password, PIN), something you have (smartphone, hardware key) and something you are (fingerprint, facial recognition). Genuine MFA requires factors from at least two different categories.

Which MFA method is the most secure?

Hardware security keys using FIDO2/WebAuthn are considered the strongest MFA method because they are phishing-resistant — they cannot be tricked by fake login pages. Authenticator apps (TOTP) are the next most secure option.

Does GDPR require MFA?

GDPR does not explicitly require MFA, but it requires 'appropriate' technical and organisational measures. For systems processing personal data, MFA is increasingly regarded as a necessary security measure by data protection authorities.

Which accounts should have MFA enabled first?

Administrator accounts, email accounts and systems with access to sensitive data should be prioritised for MFA, as these are the most attractive targets for attackers and the most damaging if compromised.