MFA — Glossary

Multi-Factor Authentication

A security mechanism that requires users to provide two or more independent verification factors — something they know (password), something they have (phone/key), or something they are (biometrics) — to prove their identity.

Last updated

What Is MFA?

Multi-Factor Authentication (MFA) adds security beyond passwords by requiring additional proof of identity. Even if an attacker steals a password, they can't access the account without the second factor.

Authentication Factors

| Factor Type | Description | Examples | |---|---|---| | Knowledge | Something you know | Password, PIN, security questions | | Possession | Something you have | Phone, hardware security key, smart card | | Inherence | Something you are | Fingerprint, face recognition, voice | | Location | Where you are | GPS, IP geolocation, network | | Behavior | How you act | Typing patterns, mouse movement |

MFA requires at least two different factor types. Two passwords would not qualify as MFA (both are knowledge factors).

MFA Methods Ranked by Security

From strongest to weakest:

  1. FIDO2/WebAuthn (Passkeys) — Phishing-resistant, hardware-bound credentials
  2. Hardware Security Keys (YubiKey) — Physical device, phishing-resistant
  3. Platform Authenticators — Built-in biometrics (Touch ID, Windows Hello)
  4. Authenticator Apps (TOTP) — Time-based codes from apps like Google Authenticator
  5. Push Notifications — Approve/deny on mobile device (vulnerable to push fatigue attacks)
  6. SMS/Voice — One-time codes via text or call (vulnerable to SIM swap attacks)

MFA and Zero Trust

MFA is a foundational requirement for Zero Trust architecture. Modern approaches go beyond simple MFA to adaptive/risk-based authentication that adjusts requirements based on context:

  • New device? → Require MFA
  • Unusual location? → Step up to stronger factor
  • Sensitive application? → Always require hardware key
  • Low-risk action from known device? → Allow password-only

Passwordless Authentication

The industry is moving toward passwordless authentication that eliminates passwords entirely, using passkeys (FIDO2), biometrics, or certificate-based authentication. This improves both security (no password to phish) and user experience (no password to remember).

MFA in Enterprise

When evaluating MFA for your organization, consider:

  1. Phishing resistance — FIDO2/WebAuthn support
  2. User experience — Minimize friction for legitimate users
  3. Coverage — MFA for all applications, not just SSO
  4. Adaptive policies — Risk-based authentication rules
  5. Recovery — Secure account recovery when factors are lost

Related Resources

Categories

Enterprise IAM Platforms

Compare the best enterprise IAM alternatives to Okta in 2026. Ping Identity, ForgeRock, Microsoft Entra ID — enterprise identity features, scale, and deployment flexibility compared.

Cloud IAM Platforms

Compare the best cloud IAM alternatives to Okta in 2026. Microsoft Entra ID, OneLogin, Duo Security — SSO, MFA, pricing, and cloud identity features compared.

SMB & Mid-Market Zero Trust Solutions

Compare the best SMB zero trust alternatives to Zscaler in 2026. Cloudflare Zero Trust, iboss, Skyhigh Security — pricing, deployment, and features compared for small and mid-sized businesses.

Products

Okta

Cloud identity and access management platform for SSO, MFA, and lifecycle management

Microsoft Entra ID

Microsoft's cloud identity platform with deep M365 and Azure integration

Duo Security

Cisco's MFA and zero trust access platform known for ease of deployment

Ping Identity

Enterprise identity security platform with flexible deployment and API security

Auth0

Developer-first identity platform for customer authentication and CIAM

Sources & References

  1. NIST Cybersecurity Framework (CSF) 2.0[Government Standard]
  2. NIST Computer Security Resource Center[Government Standard]
  3. MITRE ATT&CK Framework[Industry Framework]
  4. OWASP Foundation[Industry Framework]
  5. CISA Cybersecurity Best Practices[Government Standard]
  6. SANS Institute Reading Room[Industry Research]
  7. Cloud Security Alliance (CSA)[Industry Framework]
  8. CIS Critical Security Controls[Industry Framework]
  9. Gartner Magic Quadrant for Access Management 2024[Analyst Report]
  10. Forrester Wave: Identity-As-A-Service (IDaaS), Q4 2024[Analyst Report]
  11. KuppingerCole Leadership Compass: Access Management 2024[Analyst Report]
  12. NIST SP 800-63: Digital Identity Guidelines[Government Standard]
  13. FIDO Alliance: Passwordless Authentication Standards[Industry Standard]
  14. Gartner Peer Insights: Access Management[Peer Reviews]