Glossary Term: Multi-factor Authentication (MFA)
A security method that requires users to provide two or more verification factors to gain access to systems or applications. Common factors include something you know (password), something you have (phone or token), and something you are (fingerprint or facial recognition).
Multi-Factor Authentication (MFA) is a security method that requires users to provide two or more verification factors to gain access to applications, systems, or accounts. Rather than relying solely on a username and password, MFA adds additional layers of authentication that make it significantly harder for attackers to gain unauthorized access, even if they’ve compromised a user’s primary credentials.
How Does MFA Work?
MFA works on the principle that authentication factors fall into three main categories: something you know (like a password), something you have (like a smartphone or hardware token), and something you are (like a fingerprint or facial recognition). By requiring multiple factors from different categories, MFA creates a more robust security barrier.
When a user attempts to log in, they enter their username and password as the first factor. The system then prompts for a second factor, which could be a code sent to their mobile device, a push notification on an authenticator app, or a biometric scan. Only after successfully providing all required factors does the system grant access.
For privileged operations like administrative tasks, MFA can be required at the point of elevation rather than just at login. This approach provides an additional security checkpoint when users need elevated permissions for specific actions.
Types of MFA Factors
Authentication factors are typically categorized into three main types, each providing different security benefits:
Knowledge Factors (Something You Know)
- Passwords and passphrases
- PIN codes
- Security questions
- Pattern recognition
Possession Factors (Something You Have)
- Smartphone apps like Microsoft Authenticator or Google Authenticator
- Hardware security keys (FIDO2/WebAuthn tokens)
- Smart cards
- SMS codes sent to registered devices
Inherence Factors (Something You Are)
- Fingerprint scanning
- Facial recognition
- Voice recognition
- Retinal or iris scanning
Common MFA Methods
Organizations can choose from several MFA implementation methods based on their security requirements and user experience needs:
Push Notifications send alerts to users’ registered devices, allowing them to approve or deny authentication requests with a simple tap. This method provides good security while maintaining user convenience.
Time-based One-Time Passwords (TOTP) generate temporary codes that expire after a short period, typically 30 seconds. Users enter these codes from authenticator apps to complete the authentication process.
SMS and Voice Calls deliver verification codes through text messages or automated phone calls. While widely supported, these methods are considered less secure than app-based alternatives due to potential SIM swapping attacks.
Hardware Security Keys provide the highest level of security by requiring users to physically insert or touch a dedicated authentication device. These keys support modern standards like FIDO2 and WebAuthn.
Why MFA Matters for Security
Password-based attacks remain one of the most common methods cybercriminals use to breach systems. According to the Verizon Data Breach Investigations Report, credential-based attacks account for a significant portion of successful data breaches.
MFA dramatically reduces the risk of successful attacks because compromising multiple authentication factors is exponentially more difficult than stealing a single password. Even if attackers obtain a user’s password through phishing, data breaches, or brute force attacks, they still need access to the additional authentication factors.
This protection is particularly important for privileged accounts and administrative access, where successful compromise can lead to widespread system damage. When MFA protects elevation to administrative privileges, it prevents malware and attackers from automatically inheriting elevated permissions even if they’ve compromised a user’s standard credentials.
MFA vs Two-Factor Authentication (2FA)
While often used interchangeably, MFA and Two-Factor Authentication (2FA) have a technical distinction. 2FA specifically requires exactly two authentication factors, while MFA can require two or more factors.
In practice, most implementations use exactly two factors, making 2FA and MFA functionally equivalent in most business environments. However, high-security environments may require three or more factors for accessing particularly sensitive systems or data.
Benefits of MFA Implementation
Implementing MFA provides several important security and business benefits for organizations:
Attack Prevention: MFA blocks the vast majority of automated attacks and credential stuffing attempts, significantly reducing successful unauthorized access attempts.
Compliance Support: Many regulatory frameworks and security standards require or strongly recommend MFA for accessing sensitive data or systems.
Reduced Password Risk: With MFA enabled, the security impact of password breaches, weak passwords, or password reuse is dramatically reduced.
User Accountability: MFA creates a stronger link between user identity and actions, improving audit trails and accountability for privileged operations.
Cost-Effective Security: Compared to the potential cost of a data breach, MFA implementation provides high security value at relatively low cost.
MFA in Privileged Access Management
MFA for privileged access means requiring additional authentication when users request administrative privileges, not just at login. This prevents malware from automatically gaining admin rights if it infects a user’s system.
Instead of making users authenticate twice for every login, elevation MFA only triggers when someone needs to run applications as administrator or start an admin session. This protects high-risk operations while keeping normal work uninterrupted.
Admin By Request includes an MFA elevation mode that works with Office 365 and SAML identity providers. Users complete MFA authentication before receiving elevated privileges. This requires the identity provider to have MFA already configured. All MFA-protected elevations are logged for audit purposes.
