Multi-Factor Authentication — Technology Wiki

Overview

Direct Answer

Multi-factor authentication (MFA) is a security control that requires users to verify their identity using two or more independent verification methods—or factors—before gaining access to a system or resource. This approach substantially reduces the risk of unauthorised access compared to single-factor methods such as passwords alone.

How It Works

MFA combines factors from distinct categories: something you know (passwords, PINs), something you have (hardware tokens, mobile devices), and something you are (biometric data). Upon login, the system prompts the user to provide each required factor sequentially or simultaneously, verifying each independently before granting access.

Why It Matters

Organisations adopt MFA to mitigate credential compromise risks, particularly against phishing and brute-force attacks. Regulatory frameworks and compliance standards increasingly mandate MFA for sensitive data access, driving adoption across financial services, healthcare, and government sectors. The modest implementation cost relative to breach remediation costs makes MFA economically compelling.

Common Applications

Enterprise cloud platforms, banking systems, email services, and virtual private networks routinely deploy MFA. Government agencies, healthcare providers, and financial institutions require MFA for administrative access and sensitive transactions to meet compliance obligations.

Key Considerations

MFA introduces user friction and dependency on secondary devices, potentially impacting adoption rates and support burden. Loss or compromise of a factor (such as a mobile device) can block legitimate access, necessitating robust account recovery procedures.

Related in Identity & Access

Biometric Authentication

Using unique biological characteristics like fingerprints, facial features, or iris patterns to verify identity.

Privileged Access Management

Security solutions that control and monitor access for users with elevated permissions to critical systems.

Identity Threat Detection and Response

Security solutions focused on detecting and responding to identity-based attacks such as credential theft, privilege escalation, and compromised service accounts.

Deception Technology

Security solutions that deploy decoy assets such as fake servers, credentials, and data to detect, misdirect, and analyse attackers who have breached perimeter defences.

Secrets Management

The secure storage, distribution, rotation, and auditing of sensitive credentials such as API keys, tokens, passwords, and certificates used by applications and services.

Phishing-Resistant Authentication

Authentication methods such as FIDO2 passkeys and hardware security keys that are immune to phishing attacks because credentials are cryptographically bound to the legitimate service.

More in Cybersecurity

Incident Response Plan

Defensive Security

A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents.

Intrusion Prevention System

Offensive Security

A network security technology that examines network traffic to detect and prevent vulnerability exploits.

Cloud Security Posture Management

Security Governance

Automated tools that continuously assess cloud infrastructure configurations against security best practices and compliance requirements, identifying and remediating misconfigurations.

Compliance Framework

Security Governance

A structured set of guidelines and best practices for meeting regulatory requirements and industry standards.

Intrusion Detection System

Defensive Security

A system that monitors network traffic or system activities for malicious activity or policy violations.

Purple Team

Offensive Security

A collaborative security approach combining red team attack knowledge with blue team defensive capabilities.

NIST Cybersecurity Framework

Security Governance

A set of voluntary guidelines for managing and reducing cybersecurity risk developed by the US National Institute of Standards.

Attack Surface Management

Offensive Security

The continuous discovery, inventory, classification, and monitoring of all external-facing digital assets to identify and reduce an organisation's exposure to cyber threats.