Multi-Factor Authentication — Technology Wiki

Overview

Direct Answer

Multi-factor authentication (MFA) is a security control that requires users to verify their identity using two or more independent verification methods—or factors—before gaining access to a system or resource. This approach substantially reduces the risk of unauthorised access compared to single-factor methods such as passwords alone.

How It Works

MFA combines factors from distinct categories: something you know (passwords, PINs), something you have (hardware tokens, mobile devices), and something you are (biometric data). Upon login, the system prompts the user to provide each required factor sequentially or simultaneously, verifying each independently before granting access.

Why It Matters

Organisations adopt MFA to mitigate credential compromise risks, particularly against phishing and brute-force attacks. Regulatory frameworks and compliance standards increasingly mandate MFA for sensitive data access, driving adoption across financial services, healthcare, and government sectors. The modest implementation cost relative to breach remediation costs makes MFA economically compelling.

Common Applications

Enterprise cloud platforms, banking systems, email services, and virtual private networks routinely deploy MFA. Government agencies, healthcare providers, and financial institutions require MFA for administrative access and sensitive transactions to meet compliance obligations.

Key Considerations

MFA introduces user friction and dependency on secondary devices, potentially impacting adoption rates and support burden. Loss or compromise of a factor (such as a mobile device) can block legitimate access, necessitating robust account recovery procedures.

Related in Identity & Access

Biometric Authentication

Using unique biological characteristics like fingerprints, facial features, or iris patterns to verify identity.

Privileged Access Management

Security solutions that control and monitor access for users with elevated permissions to critical systems.

Identity Threat Detection and Response

Security solutions focused on detecting and responding to identity-based attacks such as credential theft, privilege escalation, and compromised service accounts.

Deception Technology

Security solutions that deploy decoy assets such as fake servers, credentials, and data to detect, misdirect, and analyse attackers who have breached perimeter defences.

Secrets Management

The secure storage, distribution, rotation, and auditing of sensitive credentials such as API keys, tokens, passwords, and certificates used by applications and services.

Phishing-Resistant Authentication

Authentication methods such as FIDO2 passkeys and hardware security keys that are immune to phishing attacks because credentials are cryptographically bound to the legitimate service.

More in Cybersecurity

Security Audit

Security Governance

A systematic evaluation of an organisation's information system security by measuring compliance with established criteria.

Honeypot

Defensive Security

A decoy system designed to attract attackers and study their methods while protecting real systems.

Buffer Overflow

Offensive Security

A programming error where data written to a buffer exceeds its capacity, potentially allowing code execution.

Threat Modelling

Security Governance

A structured approach for identifying, quantifying, and addressing security threats to a system or application.

Cybersecurity

Offensive Security

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Firewall

Network Security

A network security device that monitors and filters incoming and outgoing network traffic based on security rules.

Adversary Simulation

Offensive Security

Advanced red team exercises that replicate the tactics, techniques, and procedures of specific threat actors to evaluate an organisation's detection and response capabilities.

Denial of Service Attack

Offensive Security

An attack designed to make a machine or network resource unavailable by overwhelming it with traffic.