eastbaycyber

Multi Factor Authentication (MFA): Definition, How It Works, and Where You’ll See It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Multi Factor Authentication (MFA) is an authentication method that requires a user to present two or more different types of verification factors to gain access (for example, a password and a hardware security key). MFA reduces the likelihood of account takeover when one factor—most commonly a password—is stolen, guessed, or phished.

Multi factor authentication (MFA) is a login security method that requires two or more independent verification factors (for example, a password plus a one-time code or a security key). MFA is one of the most effective controls for account takeover prevention, because it can stop attackers even when passwords are phished, reused, or leaked.

How MFA works (authentication factors)

MFA works by combining independent factors from different categories. The classic categories are:

  • Something you know (knowledge): password, PIN, passphrase
  • Something you have (possession): authenticator app, hardware security key, smart card, phone receiving push prompts
  • Something you are (inherence): fingerprint, face/iris scan (biometrics)

A typical login flow:

  1. Primary sign-in: You enter a username and password (knowledge factor).
  2. MFA challenge: The system requests an additional factor (possession/inherence).
  3. Verification: The identity provider (IdP) validates the second factor and issues a session token/cookie if successful.

Common MFA methods you’ll see in practice

1) TOTP codes (authenticator apps)

Time-based One-Time Passwords (TOTP) are 6–8 digit codes generated on a device (like an authenticator app). Both the server and the app share a secret seed and calculate codes using time windows (often 30 seconds).

  • Pros: Works offline; widely supported; better than SMS.
  • Cons: Still phishable in real time (an attacker can trick a user into entering the code on a fake site).

2) Push notifications (“Approve/Deny”)

A mobile app sends a prompt asking you to approve a login attempt.

  • Pros: User-friendly; quick.
  • Cons: Vulnerable to push fatigue (MFA bombing), where attackers spam prompts until a user accidentally approves. Safer implementations add number matching or device binding.

3) SMS / voice codes

A one-time code is sent via text or phone call.

  • Pros: Easy to deploy; no app required.
  • Cons: Higher risk due to SIM swap, message interception, and social engineering. Many security programs now discourage SMS MFA for high-risk accounts.

4) FIDO2/WebAuthn security keys (phishing-resistant MFA)

Hardware security keys (USB/NFC/Bluetooth) or built-in platform authenticators use public-key cryptography to authenticate the user to a specific website/app origin.

  • Pros: Strong phishing resistance; no shared secrets; prevents credential replay on fake sites.
  • Cons: Requires compatible apps/browsers and planning for key loss/recovery.

5) Biometrics (often as part of device-based MFA)

Biometrics typically unlock a cryptographic key stored securely on the device rather than being sent as “a fingerprint” to the server.

  • Pros: Fast; reduces password dependence when combined with device-bound keys.
  • Cons: Requires safe fallback and recovery processes; depends on device security posture.

Step-up authentication and risk-based MFA

Many environments don’t prompt MFA every time. Instead, they use conditional access: prompt for MFA when risk is higher, such as:

  • New device, new location, or impossible travel
  • Suspicious IP reputation or anonymizing networks
  • High-value action (changing password, modifying payment info)
  • Admin operations (creating users, changing policies)

This “step-up” approach balances security and usability—when configured carefully.

What good MFA looks like (practical policy checklist)

Practitioner-friendly guidance you can map to most identity platforms:

  • Require MFA for: email, remote access (VPN/ZTNA), privileged/admin roles, finance systems, password reset flows.
  • Prefer: FIDO2/WebAuthn (phishing-resistant) → authenticator app (TOTP) → push with number matching → SMS only as a last resort.
  • Harden enrollment: protect MFA registration with strong proofing (don’t allow anyone with just a password to add a new MFA device).
  • Have recovery: break-glass accounts, backup keys/codes, and a verified helpdesk process.

Example baseline you can operationalize:

[MFA Baseline]
- Enforce MFA for all users (at least for external access)
- Enforce phishing-resistant MFA for admins
- Block legacy authentication (POP/IMAP/SMTP AUTH where possible)
- Require re-authentication for sensitive actions (MFA step-up)

[Enrollment & Recovery]
- Require MFA to register or change MFA methods
- Issue backup codes at enrollment; store securely
- Use 2 security keys for admins (primary + spare)
- Document helpdesk identity verification steps

Where you’ll encounter MFA (real-world use cases)

Business identity and SaaS apps

Most organizations front their apps with an identity provider (IdP) and single sign-on (SSO). MFA becomes a gate for:

  • Microsoft 365 / Google Workspace sign-ins (especially email)
  • CRM (Salesforce), ERP, HR platforms, ticketing systems
  • Cloud consoles and dashboards
  • Password manager access

Operational takeaway: if you do only one thing, protect email accounts with MFA—email is often the reset mechanism for everything else.

Remote access (VPN, RDP gateways, ZTNA)

Remote access is a frequent attacker path. MFA is typically enforced for:

  • VPN connections
  • Zero Trust Network Access portals
  • Remote desktop gateways and VDI
  • SSH bastions and jump hosts

Operational takeaway: confirm MFA is required for remote access from the internet, and ensure “remember me for 30 days” policies aren’t undermining the control for high-risk roles.

Privileged access and admin actions

Admins are high-value targets. You’ll encounter MFA for:

  • Admin portal logins
  • Privileged access management (PAM) checkouts
  • Production changes, infrastructure-as-code pipelines
  • Break-glass procedures (with strict controls)

Operational takeaway: require phishing-resistant MFA (FIDO2/WebAuthn) for admin accounts and consider separate admin identities.

Password resets and account recovery

Attackers commonly exploit weak recovery processes. Many systems require MFA to:

  • Reset passwords
  • Change MFA devices
  • Update recovery email/phone numbers
  • Approve high-risk transactions

Operational takeaway: audit who can reset MFA and under what verification—helpdesk social engineering is a common bypass.

MFA attacks often show up as patterns rather than a single event. Look for:

  • Repeated MFA prompts (push bombing): many prompts in a short period
  • MFA failures followed by success from unusual IPs/devices
  • New MFA device enrollment shortly before suspicious activity
  • Impossible travel or new geo-location on successful sign-in

A generic hunt pattern (adapt to your IdP’s fields):

- EventType: "MFAChallenge" OR "MFARequired" OR "MFAFailed"
- Same user
- High count within 5–10 minutes
- Followed by "MFAApproved" or "LoginSuccess"
- New device/browser fingerprint or new ASN/geo

If your IdP supports it, alert on:

  • MFA method change (e.g., adding SMS, changing authenticator app seed)
  • “Remembered device” creation
  • Legacy authentication usage (often bypasses MFA in older protocols)

MFA best practices (quick wins)

  • Start with email and admins, then remote access, then everything else.
  • Use phishing-resistant MFA (FIDO2/WebAuthn or passkeys) for privileged roles.
  • Protect MFA enrollment: require an existing strong factor to add or change MFA methods.
  • Plan recovery: backup codes, spare security keys, and a documented helpdesk process.

For consumer accounts, pairing MFA with a reputable password manager improves both security and usability; options like 1Password can help centralize strong passwords and MFA workflows where supported: Try 1Password →.

FAQ: Is MFA enough by itself?

MFA is a high-impact control, but it’s not a complete program. Attackers may still succeed via:

  • Session hijacking (stealing cookies/tokens after you log in)
  • MFA prompt abuse (push fatigue)
  • Enrollment and recovery weaknesses (helpdesk resets, SIM swaps)
  • Unpatched vulnerabilities in identity or VPN appliances

For a practical patching framework that complements MFA, see: Patch management best practices.


If you’re implementing MFA for an organization, the practical priority order is: email and admins first, then remote access, then everything else—with a roadmap toward phishing-resistant methods (FIDO2/WebAuthn/passkeys) for high-risk users.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

2FA (Two-Factor Authentication)

A subset of MFA requiring exactly two factors. In practice, people often say MFA and 2FA interchangeably.

Authentication factor

The category of proof—knowledge, possession, inherence.

OTP (One-Time Password)

A code used once. Includes TOTP (time-based) and HOTP (counter-based).

TOTP

Time-based OTP, typically the 6-digit codes in authenticator apps.

Push authentication

“Approve/Deny” prompts sent to a trusted device.

FIDO2 / WebAuthn

Standards enabling phishing-resistant, public-key-based authentication (hardware keys or built-in device authenticators).

Passkeys

A user-friendly implementation built on FIDO/WebAuthn that can replace passwords and provide strong MFA properties (often passwordless). If you’re evaluating passkeys, see our FAQ: What is a passkey?

SSO (Single Sign-On)

One identity session to access multiple apps. MFA is commonly enforced at the SSO/IdP layer.

Conditional access / risk-based authentication

Policies that require MFA based on context (location, device health, risk signals).

MFA fatigue / MFA bombing

Attacker spams push prompts to trick the user into approving.

Break-glass account

An emergency admin account with tightly controlled access used when normal MFA/SSO systems are unavailable.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.