Multi-factor authentication (MFA)
An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.
Multi-factor authentication (MFA) requires a user to present at least two independent pieces of evidence — drawn from distinct factor categories — before access is granted. NIST SP 800-63B defines those categories as something you know (a password or PIN), something you have (a hardware token, a phone running an authenticator app, a smart card), and something you are (a biometric). Combining factors from the same category — two passwords, for example — is not MFA.
MFA is the single most effective control against credential theft because stealing a password no longer suffices. But not all MFA is created equal. The strength hierarchy, from weakest to strongest:
- SMS one-time codes. Susceptible to SIM-swap and SS7 interception. NIST has discouraged SMS as a primary factor since the 2017 revision of 800-63B.
- TOTP authenticator apps (Google Authenticator, Authy, 1Password). Phishable — a fake login page can ask for the code and replay it within the 30-second window.
- Push-based MFA (Duo, Microsoft Authenticator, Okta Verify). Convenient but vulnerable to MFA fatigue — attackers spam the user with prompts until one is approved.
- FIDO2 / passkeys and physical security keys (YubiKey, Titan). Cryptographically bound to the origin domain; phishing-resistant by design. The only factor class NIST classifies as resistant to verifier impersonation.
The dominant failure mode in 2024-2026 is no longer “users don’t have MFA enabled” — it’s MFA fatigue, where push prompts are auto-approved out of habit, and adversary-in-the-middle phishing kits (Evilginx, Tycoon) that proxy the entire authentication flow including the TOTP code. CISA, ANSSI, and the UK NCSC have all issued 2023-2025 advisories urging migration from push and TOTP to FIDO2 for high-value accounts. MFA on its own is no longer the finish line; phishing-resistant MFA is.
Related terms
- Single Sign-On (SSO)An authentication architecture where one identity provider issues tokens that grant access to many downstream applications, reducing credential surface but concentrating blast radius.
- FIDO2 / PasskeysOpen authentication standards using device-bound asymmetric cryptography to deliver phishing-resistant sign-in — the practical answer to MFA fatigue and adversary-in-the-middle phishing.
- MFA fatigueA social-engineering attack that bombards a user with MFA push prompts until they tap Approve out of annoyance or confusion.
- Credential stuffingAn automated attack that replays username/password pairs leaked in third-party breaches against unrelated services, exploiting password reuse to take over accounts at scale.
- Password reuseThe practice of using the same password — or near-identical variants — across multiple services, turning any single breach into a multi-account compromise via credential stuffing.