Identity & Access
Multi-Factor Authentication (MFA)
Also known as: MFA, Strong authentication
Definition
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
Multi-Factor Authentication (MFA) increases assurance by combining factors from at least two of three categories: knowledge (password, PIN), possession (security key, smartphone, smart card) and inherence (fingerprint, face, voice). Even if one factor is stolen or phished, the others should still block the attacker. Phishing-resistant MFA based on FIDO2/WebAuthn or smart cards is strongly preferred over OTP via SMS or email, which are vulnerable to SIM swaps, server-side compromise and real-time phishing through reverse proxies. MFA is now a baseline control in standards such as NIST SP 800-63B, PCI DSS and most cyber-insurance requirements, and is one of the most effective controls against account takeover.
Examples
- Logging in with a password plus a tap on a FIDO2 security key.
- An admin console requiring a hardware token after a Windows Hello sign-in.
Related terms
Two-Factor Authentication (2FA)
A specific form of multi-factor authentication that requires exactly two factors — usually a password plus a second factor — to verify identity.
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.
Passkey
Passkey — definition coming soon.
FIDO2
FIDO2 — definition coming soon.
WebAuthn
WebAuthn — definition coming soon.
One-Time Password (OTP)
A short numeric code that is valid for only a single login attempt or a brief time window, typically used as a second authentication factor.