Multi-Factor Authentication (MFA) is a security measure that requires multiple levels of authentication before granting a user account access to a system. A user is required to provide multiple factors of identification, including something the user knows (like a user name and password), something the user has (like a security token or mobile device), and something the user is (a biometric identification like a fingerprint or face scan).
If a system requires only a username and password as login information, it can be accessed by anyone who knows them — whether they're the authorized account owner or not. MFA systems add some extra steps to the authentication process to ensure that the person logging into the account is the account owner. Multi-Factor Authentication systems are similar to Two-Factor Authentication but with the option to require 2, 3, or more authentication steps.
There are three categories of authentication factors used in MFA. An MFA system requires at least two of these factors to ensure that the correct user is logging in to the account.
- Knowledge is something that the user knows. This factor is usually their username and password. Other knowledge factors like a PIN, passphrase, or security question can be used in conjunction with the username and password.
- Possession is something that the user has. Since this is often their smartphone, a code can be sent to the phone via SMS or generated by an MFA passcode generator app. Security token devices are also common — these small devices connect to a computer to provide authentication or display a one-time-use code that the user enters.
- Inherent factors are something that the user is, so many types of MFA use biometric identification. Fingerprint or face scans are the most common types, but some systems may use voice recognition or retinal scans for identification.
In many cases, users only need to provide additional authentication the first time they log in using a particular device. After successful authentication, the site sets a cookie in the web browser that tells the website that MFA was successful and that only the username and password are required. Changing devices or web browsers will cause another MFA check to take place.