Requires more than one independent kind of proof so a password alone is not enough to log in.
Multi-factor authentication, usually shortened to MFA, requires more than one independent type of proof during login. In plain language, a password alone is not enough. The user must also provide another factor, such as a hardware key, biometric check, or device-based approval.
MFA matters because passwords are frequently stolen, guessed, reused, or phished. Requiring another factor makes it much harder for someone to take over an account with only one compromised secret.
It also matters because some identities are especially sensitive. Administrator accounts, identity-provider logins, remote access paths, and privileged recovery workflows can all unlock much broader access than an ordinary application session.
MFA appears in workforce SSO, VPN access, cloud administration, password reset flows, privileged operations, and customer login systems. Some organizations require it on every sign-in, while others step it up based on device trust, risk signals, or resource sensitivity.
Security teams also rely on MFA during incident response and recovery. When an account shows suspicious behavior, stronger factor requirements can reduce abuse while access is being reviewed.
| Factor type | Example | Security role |
|---|---|---|
| Something you know | Password or PIN | Familiar, but often weak alone |
| Something you have | Hardware key or trusted device | Adds possession-based proof |
| Something you are | Biometric check | Ties login to the person using the device |
An employee enters a username and password for the company identity provider, then confirms the login with a hardware-backed device prompt. If the password had been stolen through phishing, the attacker would still need the second factor to complete the sign-in.
MFA does not simply mean “two screens during login.” The important point is that the factors are different and independent. Entering two passwords is still not multi-factor authentication.
It is also different from Single Sign-On. SSO lets one authenticated session reach multiple applications. MFA strengthens the proof of identity during that login. The two are often used together, but they solve different problems.
Not all MFA methods resist phishing equally well. Hardware-backed and device-bound methods generally provide stronger protection than reusable one-time codes.