MFA (multi-factor authentication) requires a user to present two or more independent pieces of evidence to sign in. It protects against password compromise by requiring an additional proof.
The factors
Traditional authentication theory defines three factor types:
- Something you know — a password or PIN
- Something you have — a phone (for SMS or TOTP), a hardware key
- Something you are — biometrics (fingerprint, face)
MFA is “any two of the above.” 2FA is a subset where there are exactly two.
Common MFA methods
- TOTP (Time-based One-Time Password) — an app like Google Authenticator generates a rolling 6-digit code. Strong and phishing-resistant when backed by the secret.
- SMS codes — convenient but vulnerable to SIM swapping. Use as a fallback, not a primary.
- Email codes — if your primary factor is the email (magic link), MFA via email adds nothing.
- Hardware keys (FIDO2, U2F) — the strongest option. Phishing-resistant by design.
- Biometrics + device-bound credentials — effectively what passkeys provide.
When to enforce it
- Always for admin and billing actions
- Default for enterprise customers
- Opt-in for consumer accounts, with a gentle nudge
Step-up authentication — requiring MFA right before a sensitive action, not on every sign-in — is often a better UX than blanket enforcement.
See the full auth glossary for related terms.