Security Encyclopedia

Multi Factor Authentication

Multi-Factor Authentication (MFA) is a method of verifying a user, application, or device by requiring them to present a number of identifiers. MFA is used to provide additional security to unidimensional or single-factor authentication (SFA).

In its most familiar use, MFA requires the user of a consumer or employer application to register a selection of identifiers or “factors” covering knowledge (e.g. password or PIN), possession (smartphone or hardware OTP token), and inherence (something you are, such as fingerprint or voice). Once enrolled, when authenticating the user is prompted to present a factor or more than one factor according to the kind of access or action desired.

MFA can be as simple as always requiring two-factor authentication (2FA) using two distinct factors (e.g., password and biometric) for strong authentication. Or, it can be deployed in a more bespoke implementation reflective of the risk appetites and policies the service provider has in place. In the example of a consumer banking application, the user would be required to log into the application with a password. To move funds, however, they would be required to present a biometric. If the bank deemed the transaction to be high-risk according to its amount, its recipient, or time of day, the user would be prompted to click a PUSH notification sent through the bank’s mobile app. When additional factors are required alongside growing risk in this way, it is an example of step-up authentication. This is commonplace in customer MFA use cases involving financial transactions.

Integrated MFA, especially leveraging mobile device authenticators, enables service providers to manage their risk along the customer’s current journey. When properly implemented, it can add security with minimal friction even in the context of the historically inverse relationship between security and usability.


"Our firm now mandates MFA for all logins. Our baseline method, because of the highly-regulated atmosphere, is actually 2FA. So imagine the amount of time my colleagues and I invest in juggling hard tokens, fielding robocalls, etc. when logging in. This is time better spent elsewhere."