Multi-Factor Authentication: How It Works

Multi-factor authentication (MFA) is a means to authenticate a user. It grants them access only after presenting two or more pieces of proof (or factors) to an authentication provider.  These include the following:

  • knowledge (something the user and only the user knows),
  • possession (something the user and only the user has), or
  • inherence (something the user and only the user is).


As such, multi-factor authentication is different from multi-step verification. While both harden a user’s digital security by making a login process more complex, the latter adds complexity in the form of the same type of authentication category (such as two or more things you might know). Multi-factor authentication asks that users provide pieces of proof from at least two different authentication categories, thereby making it more difficult for an attacker to spoof the user.

Multi-factor authentication is an important part of identity access management. It helps protect against password compromise by requiring at least one more form of identification. In fact, one of the things pointed out in the 2017 Verizon Data Breach Investigations Report is that 81% of all data breaches involved weak or stolen credentials.

In 2019, Google reported in their blog that by enabling MFA with device-based challenges, it was able to stop 100% of automated bot attacks, 99% of bulk fishing attacks, and 90% of targeted attacks. These three types of attacks increased to 100% protection when they used a physical key.

There are numerous types of multi-factor authentications. These include SMS-based authentication (text), voice call authentication, physical security keys and security questions.  There are also numerous software authentication providers that include Okta, Google, Duo, Aymantec, RSA, and many others.