Multi-Factor Authentication
What is MFA (Multi-Factor Authentication)?
MFA (Multi-Factor Authentication) is a security method that requires a user to present two or more independent factors to prove their identity before access is granted. Because an attacker would need to compromise multiple factors, MFA dramatically reduces the risk of account takeover.
The three factor types
Authentication factors fall into three categories: something you know (a password or PIN), something you have (a phone, hardware security key, or authenticator app), and something you are (a fingerprint or face scan). MFA combines factors from different categories — a password plus a one-time code, for example.
Combining categories is what makes MFA strong. Two passwords are not MFA, because they are both “something you know”; a password plus a device-bound key is, because compromising one does not compromise the other.
Common MFA methods
Widely used second factors include time-based one-time passwords (TOTP) from authenticator apps, push notifications to a trusted device, and hardware security keys using WebAuthn/FIDO2. SMS codes are still common but weaker, because they are vulnerable to SIM-swapping and interception.
Passkeys — phishing-resistant credentials based on WebAuthn — are increasingly replacing passwords entirely, delivering strong, MFA-grade security in a single seamless step tied to the user's device.
MFA and adaptive authentication
Modern platforms apply MFA adaptively: instead of always prompting, they evaluate risk signals — a new device, an unusual location, an impossible-travel pattern — and step up to a second factor only when risk is elevated. This preserves security while keeping everyday logins low-friction.
Frequently asked questions
- What is the difference between MFA and 2FA?
- 2FA (two-factor authentication) is a subset of MFA that uses exactly two factors. MFA is the general term for requiring two or more factors, so all 2FA is MFA, but MFA can involve more than two factors.
- Is SMS-based MFA secure?
- SMS MFA is far better than no MFA, but it is the weakest common method because codes can be intercepted or captured via SIM-swap attacks. Authenticator apps, push, and hardware keys or passkeys are stronger.
- What is adaptive MFA?
- Adaptive (risk-based) MFA evaluates signals like device, location, and behavior on each login, and only prompts for an additional factor when the risk is elevated — balancing security with a smooth user experience.
Related terms
Add auth to your app in minutes
Authentication, SSO, MFA, RBAC, SCIM, and multi-tenant identity — with developer-first APIs and a console non-devs can use.