Skip navigation

What Is MFA?

Multi-factor authentication (MFA) is a security measure that goes beyond a password to double- and triple-verify a user’s identity before they can access data.

Digital user access data using multifactor authentication product MFA and 2FA

What Does MFA Stand For?

Multi-Factor Authentication (MFA) is the practice of adding multiple unique authentication methods to user identity verification at login.

What Does 2FA Stand For?

Two-Factor Authentication (2FA) — The practice of adding a second unique authentication method to user identity verification at login

Password + push notification = 2factor represents how two factor is different from multi factor authentication

What Type of Security Is Multi-Factor Authentication?

Identity Security — An essential security control in today's digital world, identity security products are used to verify the user's identity and prevent use of stolen passwords / compromised credentials

Secure Access — The idea that anyone who accesses data is properly verified to ensure all logins are benevolent and safe

Zero Trust — A cybersecurity strategy framework that encourages users and organizations to take added security measures, assuming that nothing can be trusted without proper verification. Zero trust is often described by the mantra of “never trust, always verify”

What Does MFA Protect Against?

MFA is essential to access and endpoint security because it adds a layer of protection to a user or company’s data which effectively helps prevent stolen passwords, malware, phishing and ransomware attacks. With an effective MFA system in place, only the correct user will “hold the keys,” so to speak, keeping unauthorized access out.

Cockroach represents bugs and malware in a network

Malware — A program or software that enters a system to access data or steal passwords with malicious intent 

(e.g., credential or credit card number theft, exploitation of personal contact information, demands of ransom payment for data)

a tang fish and a hook to play on the act of fishing as a hobby versus phishing in cybersecurity and mfa

Phishing — A program or individual that disguises itself as a company or person to scam the user and gain malicious access to data 

(e.g., a user receives a text message asking for a banking password. The message appears to come from their bank, but is actually a bad actor looking to steal credit card information)

an mfa user holds a photo of another individual over his face to represent hackers disguising themselves

Ransomware — A malware attack that successfully seizes personal or company data and then demands monetary payment (ransom) in exchange for the stolen data

Who Does MFA Protect?

MFA has changed internet safety and the way we access our accounts. A key player in the zero trust approach to security, MFA has been deemed one of the most effective and employable verification methods in personal, corporate and government settings alike.

Streamline Authentication for Users 

Each and every digital user leaves behind a digital footprint full of personal data. Regardless of what data you handle on a day-to-day basis, you deserve to feel secure while you work, bank, go to school or do anything else online. MFA is a security control solution that is user-focused, meaning it starts with you. 

a remote worker using a multifactor authentication (mfa) app

the buildings of varying sizes to demonstrate the importance of mfa for all buildings

Secure SMB Cybersecurity  

Small businesses need to invest in MFA even if their company’s size deems them exempt from some of the heftier regulatory compliance mandates. As new statutes arise to protect SMB org’s from new hacker technologies, MFA is encouraged in more and more small businesses. Why? Simply put: it works! When securing an SMB, it is important to find an MFA solution that works easily and deploys quickly in unique settings and custom applications.

Cybersecurity for Enterprise Organizations 

Data is foundational to the digital economy and therefore securing it is too. With a great workforce comes great responsibility, which is why MFA is usually legally required for everyone who works in an enterprise-level organization.  

Where Is MFA Required?

Deciding which employees are entitled to various levels of access to data is not only a strategic decision, but also has legal implications. Hundreds of laws and cybersecurity entities, at the very least, strongly recommend multi-factor authentication for verification, including:

  • General Data Protection Regulations (GDPR), for all organizations that carry out business or handle sensitive data in the EU 

  • System and Organization Controls 1-3 (SOC, SOC1, SOC2 & SOC3), for all organizations that carry out business or handle sensitive data in the US 

  • The Federal Financial Institutions Examination Council (FFEIC), for all US financial organizations 

  • Payment Card Industry Data Security Standard (PCI-DSS), for all US organizations that handle credit card transactions and the respective sensitive data 

  • Family Educational Rights and Privacy Act (FERPA), for all US K-12 schools and higher education institutions  

…and hundreds more. Cyber liability insurance providers almost always require that a policyholder has MFA and access control standards implemented as a baseline for coverage, also.


Which Industries Require MFA? 

The short answer? MFA is integral to cybersecurity in every industry. Two-factor and multi-factor is an important component to data security and endpoint security for any company that works online.  

How Does MFA Work?

When you are using a second authentication method in addition to your personal pin or passcode, for instance, you are authenticating with second-factor or two-factor authentication (2FA). When you add a third, fifth, sixth or any additional verification tool after that second factor, you’re using multi-factor authentication (MFA)!

Is MFA Different from 2FA? 

MFA expands upon the 2FA concept by adding additional identity verification steps and therefore layers of security. The more additional factors you use to verify identity, the safer you, your device, your company and your data are! MFA>2FA 

What Are the Best MFA Methods? 

The best MFA methods are the methods that work best for the individual user. An ideal MFA provider will provide companies with the autonomy to customize their MFA, enabling them to employ two or more methods of their choice and, theoretically, their users’ choice too. 

What Types of MFA & 2FA Are There?

Second- and multi-factor authentication methods come in many different forms including tokens like the Yubikey, biometrics like TouchID, to classic call-back verification and TOTP. Any authentication methods can be combined to strengthen your MFA.

What Are the Best MFA Methods?

The best MFA method is one that's user-focused. They fall into one or more of the following categories:

  1. What the user knows

  2. What the user has

  3. Who the user is

  4. Where the user is

What is Phishing-Proof MFA?

The Fido 2 Security Key has been deemed a phishing-resistant second- or multi-factor (2FA or MFA) solution because the tool will, physically, remain in a user's possession. It then uses biometrics or another secondary authentication method to verify identity.

Is Time-Based One-Time Passcodes (TOTP) MFA?

In somewhat of a gray area of categorization are SMS and callback codes and TOTP. While they are indeed knowledge-based, arguments have been made to categorize them as possession-based tools because they are allocated from a third party to the user. They are sometimes even considered to be in a category of their own (Mobile Phone-Based authentication). Regardless of the category(ies) they do or don’t fall into, SMS and phone call TOTPs are more secure than other knowledge-based tools because they maintain a very short window for possible compromises. That said, TOTPs are often exploited in successful phishing attacks like Craigslist scams. 

Knowledge-Based MFA

brain to represent knowledge based mfa icon

What the User Knows

Knowledge-based MFA tools are based on the memorized information you hold in your mind such as your password or a personal pin number.


  • Application or web passwords 

  • Smartphone passcodes, pins or pattern lock tools 

  • Security questions (e.g., “What is your first pet’s name?” or “What is your mother’s maiden name?”) 

spacer icon


  • Inexpensive 

  • Typically, this is the most customizable method for an individual user 

  • Users can select information or sequences that they are confident no one will guess, giving them more control over their authentication 

  • There are essentially endless possibilities in sequences of letters and numbers 

  • Easy to change 

spacer icon


  • A user may become frustrated if they forget their information 

  • If written down or stored in an insecure place, they can be stolen 

  • Personal data can legally and somewhat easily be found in public directories like government birth records, social media, etc. 

  • Susceptible to phishing scams 

Possession/Physical MFA

physical mfa token icon

What the User Has

Possession-based MFA tools are physical things you carry with you to verify identity.


  • Tokens/Fobs 

  • Access control smartphone applications like Duo Push 

  • Bank cards or government IDs 

  • FIDO 2 security keys 

spacer icon


  • Wide range of price; can be as expensive and robust or as inexpensive and cost effective as you'd like

  • You can carry them with you physically, so some methods are  theoretically immune to phishing attacks 

  • One of the safest methods 

spacer icon


  • They are typically small and difficult for some users to keep track of 

  • Can become damaged if not properly stored or care for 

  • In the case of cheaper hardware tools, they can sometimes be defective or poorly built 

  • Some tools can be difficult or expensive to replace 

Inherent MFA Tools

phone with multifactor app to represent biometric mfa icon

Who the User Is

An inherent MFA tool does not require knowledge or physical keys, but instead employs a user’s inherent being. This type of verification works by use of a bridge between the physical trait (fingerprint, face, etc.) and the hardware to software network tool such as artificial intelligence (AI).


  • Fingerprint scanners like TouchID 

  • Iris scanners 

  • Voice recognition 

  • Facial recognition 

spacer icon


  • One of the safest MFA methods 

  • Difficult to lose, as they are part of a user’s physical self 

  • The level of AI and/or algorithmic modeling required to replicate a human’s face for instance, in the case of facial recognition MFA, is beyond the scope of most bad actors’ abilities 

spacer icon


  • Robust hardware and software must exist behind every biometric authentication to ensure that the most unique details are captured to prevent people with similar features from passing each others’ authentication checks and to ensure that the tool is able to respond to human error-based variations 

  • Fingerprints, faces, voices and eyes can become damaged, too 

Location-Based MFA Tools

a house to represent location-based mfa icon

Where the User Is

If you’ve ever tried to use a friend’s streaming account at your house and been denied access, you’ve failed a location-based authentication check. A location-based MFA tool will evaluate whether or not a user is physically in the proper location or proper device.


  • IP address 

  • Geographic location

spacer icon


  • Difficult for bad actors to replicate (e.g., a phishing attacker who may have stolen both a password and TOTP will almost certainly operate in a different location and on a different IP address)

  • Requires least amount of effort from user

  • Generally inexpensive

spacer icon


  • Could impede user's privacy (e.g., they may be required to have their location tracked at all times, or they may not feel comfortable sharing IP address)

  • Network errors can make authentication difficult in certain situations

Which MFA Method Should I Use?

The best MFA methods are the methods that work best for the individual user. An ideal MFA provider will provide companies with the autonomy to customize their MFA, enabling them to employ two or more methods of their choice and, theoretically, their users’ choice too.  

Discuss Your MFA Options


Your next step: experience Duo now with a free trial