Status DataClose notification

What Is Multi-Factor Authentication?

TL;DR: Multi-factor authentication (MFA) requires a user to prove their identity with two or more independent types of evidence before being granted access, typically something they know (a password), something they have (a phone or hardware key), or something they are (a fingerprint). The point is that a single stolen credential, like a leaked password, isn't enough on its own to get in.

What Multi-Factor Authentication Actually Is

Password-only authentication has a well-documented failure mode: passwords get phished, reused across sites, leaked in breaches, or guessed. Once an attacker has the password, they have the account. Multi-factor authentication closes that gap by requiring at least one additional, independent proof of identity beyond the password, so a compromised password alone no longer grants access.

The word "independent" matters here. Two passwords aren't multi-factor; they're the same factor twice. MFA specifically combines different categories of evidence, each of which fails independently of the others. That's why a stolen password combined with a physical authenticator app on the user's phone stops most credential-based attacks cold — the attacker would need both.

The Three Factor Categories

MFA is built from combinations of three basic factor types:

  • Something you know — a password, PIN, or security question answer
  • Something you have — a phone receiving a one-time code, an authenticator app, a hardware security key (like a YubiKey), or a smart card
  • Something you are — a fingerprint, facial recognition, or another biometric marker

A login that asks for a password and then a code sent by SMS is using two of these categories (knowledge + possession), which is why it counts as MFA. A login that asks for a password and then a security question is not true MFA — both are "something you know," so the same phishing attack that steals one can typically capture the other too.

How Multi-Factor Authentication Works

  1. First factor. The user enters their password (or another knowledge-based credential).
  2. Trigger. The system confirms the password is correct, then prompts for the additional factor rather than granting access immediately.
  3. Second factor. The user provides proof from a different category — approving a push notification, entering a time-based one-time code, inserting a hardware key, or scanning a fingerprint.
  4. Verification and access. Only once both factors check out does the system grant access.

Adaptive MFA adds a layer on top of this: it evaluates contextual signals like device, location, time of day, network reputation, and adjusts the challenge accordingly, prompting for an additional factor only when something looks unusual rather than on every single login.

Why Multi-Factor Authentication Matters

The core benefit is straightforward: a stolen or phished password stops being enough on its own. Since credential leaks and phishing remain among the most common ways accounts get compromised, adding a second, independent factor removes a large share of account takeover attempts without requiring the user to do anything more complex than approve a prompt or enter a code.

This is also why MFA has become close to a baseline expectation rather than an optional hardening step — for exchanges, admin panels, source code repositories, and anywhere else account takeover has outsized consequences, treating MFA as default rather than opt-in materially reduces attack surface.

Can Multi-Factor Authentication Be Hacked?

Yes — MFA reduces risk substantially, but it isn't unbreakable. The realistic attack paths worth knowing about:

  • MFA fatigue / push bombing. An attacker who already has valid credentials repeatedly triggers push notification prompts, hoping the user eventually approves one out of frustration or confusion.
  • SIM swapping. If the second factor is an SMS code, an attacker who convinces a carrier to port the victim's number to a new SIM can intercept those codes directly.
  • Adversary-in-the-middle phishing. A convincing fake login page relays both the password and the one-time code to the real site in real time, capturing a valid session.
  • Social engineering the reset process. Attackers target account recovery flows or support staff to bypass MFA entirely rather than defeat it directly.

This is why phishing-resistant factors — hardware security keys using FIDO2/WebAuthn, in particular — are considered stronger than SMS or push-based MFA: they're bound to the specific website being logged into, so a relayed phishing page can't successfully capture or replay them.

Conclusion

Multi-factor authentication doesn't make an account unhackable, but it removes the single point of failure that a password-only login carries. The strength of that protection depends heavily on which factors are used — a hardware key resists attacks that SMS codes don't — which is worth weighing deliberately rather than treating all MFA methods as interchangeable.