What is Multi-Factor Authentication (MFA)?

What is multi-factor authentication (MFA)?


Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more separate pieces of evidence to verify their identity. If properly implemented, MFA greatly reduces the likelihood and impact of attacks like credential stuffing, brute force attempts, and other attacks that exploit the inherent weaknesses of passwords.

MFA adoption has grown over the years and the security benefits are clear. According to Microsoft, adding MFA can block over 99.9% of account compromise attacks. Google’s security team found that using on-device prompts (a strong form of MFA) helped stop 100% of automated bots, 99% of phishing attacks, and 90% of other targeted attacks.

Why is MFA needed?

The password problem

In some ways, multi-factor authentication is an effective band-aid that covers the gaping wounds of password-based authentication. Passwords have been around for decades and may seem intuitive as a result, but they have resulted in poor security and subpar user experiences.

There are billions of leaked passwords available on the dark web. This problem is made worse by users’ tendency to reuse passwords across online accounts. Leaked passwords from a data breach on one account can be used to access other accounts through credential stuffing. Since users also tend to use common passwords like 123abc, qwerty, and password123, attackers can simply brute force their way to guessing these passwords and gaining fraudulent access. 

Simply put, if passwords are the only thing granting a user access to an app or resource, then passwords are the only thing an attacker needs to impersonate the user. MFA addresses this problem by requiring a separate authentication factor, adding a layer that’s much tougher for attackers to exploit.

Digital transformation

MFA is an enabler for organizations undergoing digital transformation. With remote work and globally distributed talent, it’s important for employees to be able to securely work with the apps and resources they need without being physically tied to an office. With MFA, employees can easily access required business applications and remotely connect to the company network without increasing the attack surface.

Regulatory compliance

The effectiveness of MFA has led to it becoming a requirement under multiple industry regulations and legislations. A 2021 Executive Order by the President of the USA stated that all agencies must have implemented MFA within 180 days of the order date. Multi-factor authentication is also a key component of the EU’s latest Payment Services Directive (PSD2), which requires financial companies in Europe to enact additional security controls for higher-value customer payments.

Types of MFA factors

There are three generally accepted types of authentication factors used in MFA:

  • Knowledge: Something only the user knows.

  • Possession: Something only the user has.

  • Inherence: Something only the user is.

Fig: Common MFA factors
Fig: Common MFA factors


The knowledge factor refers to a piece of information that is known only by the user trying to gain access. The most common example is a username and password combination. Other examples include security questions like “What is your mother’s maiden name?”, PIN codes, and Social Security numbers.

Knowledge-based authentication (KBA), especially when used on its own, is prone to compromise. Attackers can gather answers to security questions by researching potential victims on social media or by employing social engineering techniques. An infamous example that showed the shortcomings of KBA was when Sarah Palin’s email account was hacked. Attackers found the answers to the account’s password recovery questions (birthday, ZIP code, etc.) after basic online research.


The possession factor refers to a device, physical token, or online account that is only possessed by the user trying to gain access. Common examples include SMS authentication and TOTP apps (where the mobile device is what the user possesses), email OTPs and magic links (where the email account is what the user possesses), and physical security keys like YubiKey.

Combining knowledge and possession factors is the most common MFA flow in use today. Even if attackers know a user’s password (the first factor), they would need to possess the user’s mobile device or email account as well to gain full access to the user’s account. Not impossible, but much more unlikely than if the user was only using passwords and nothing else.


The inherence factor refers to immutable biological traits that can identify only the user trying to gain access. Common examples include Apple Face ID and Touch ID, Windows Hello, retina scans, and other forms of biometric authentication

Inherence factors, particularly when paired with specifications like WebAuthn, are a very strong and hard-to-phish authentication factor.

Other MFA factors

In addition to the three main authentication factors listed above, some other factors include:

  • Location: Location-based MFA takes into account where the user is attempting login from. This might include capturing the user’s IP address or geolocation.  

  • Time: This factor takes into account when the user is attempting to log in and how it differs from their usual patterns. 

These factors are usually employed in high-security settings or when applications need to evaluate risk before approving sensitive user actions (e.g. accessing customer data, wiring money).

MFA vs 2FA

MFA is often referred to as two-factor authentication (2FA). 2FA is an authentication process where the user must present two different forms of credentials before they are allowed to access an app, website, or protected resource.

2FA is essentially a subset of MFA. While 2FA requires the use of exactly two authentication factors, multifactor authentication can use two or more factors depending on the sensitivity of the resource being accessed, the risk profile of the user, and so on. 

Also read: Passwordless Authentication 101

What is step-up authentication?

Step-up authentication is a subset of MFA where users are asked for an additional authentication factor before being allowed to access sensitive data or perform high-risk actions. It is an effective way to reduce user friction during sign-up and initial adoption without sacrificing security. Step-up authentication is also known as route-based or “just-in-time” authentication.

Rather than front-loading all authentication to the login stage, step-up authentication allows users to access certain resources with one set of credentials while protecting other resources behind additional sets of credentials.

For example, a banking service that logs users in with a password might allow them to check their account balance, deposit checks, and perform other low-risk actions without asking them for more credentials. But when users want to move money around or make wire transactions, the app can prompt them for more credentials by sending an OTP to their phone or email account.

What is adaptive authentication?

Adaptive authentication is a subset of MFA where additional authentication factors are automatically triggered according to a user’s risk levels. Adaptive authentication is also known as adaptive MFA or risk-based authentication. 

While step-up authentication is usually static and based on predefined flows, adaptive authentication is dynamic and can prompt a user based on a risk score that includes a variety of behavioral and contextual signals. These user behaviors might include:

  • Where the user is 

  • What time the user is trying to log in (and whether it’s different from the baseline)

  • What device is being used (and is it different from the usual device)

  • Whether the user is on an encrypted or unencrypted network

For example, let’s consider a user that regularly logs into an application from their laptop at home. If the user is on an international trip and tries logging in to the same application from an Internet café, they will be prompted in real time for additional credentials because too many behavioral signals have changed from the baseline.

MFA in a snap with Descope

Adding MFA to an existing app is a non-trivial exercise and can take your development team weeks (if not months) of effort. Descope helps developers easily add MFA to their authentication flows with drag-and-drop workflows, SDKs, and APIs. If you are looking to remove the complexity from your MFA implementation, sign up for Descope.