What is MFA (Multi-Factor Authentication) and how does it work?


Auth & identity

January 10, 2022

Author: Julianna Lamb

MFA stands for multi-factor authentication. It’s a layered approach to confirming a user’s identity to ensure they have permission to access a protected website, application, network, or other digital system or perform a protected task within a digital system.

As its name suggests, MFA requires users to successfully present two or more identity credentials, called authentication factors, in order to gain clearance. This often (but not always) occurs at initial login; sometimes, the authentication factor prompts are dispersed throughout a digital experience.

Why is multi-factor authentication important?

As time passes, hackers only grow more sophisticated. They now have at their disposal advanced tools that allow them to generate and test username and password combinations until they arrive at the correct permutation and gain access to the system they are trying to breach. 

Compounding the issue is the fact that users often select weak, obvious passwords and repeat them across multiple accounts, making it possible for hackers to breach multiple systems with one set of credentials. 

As a result, passwords alone have been rendered insufficient as a means of protecting sensitive online data. In fact, 81% of all data breaches can be traced to weak or stolen passwords, and the Open Web Application Security Standard (OWASP) now encourages all authentication flows to treat passwords as “pre-breached.”

MFA makes online systems more secure in light of this threat. By requiring users to verify their identity through multiple factors—not just a single password or password alternative—MFA makes unauthorized logins and fraudulent transactions less likely to occur. In turn, it has become a pillar of cybersecurity.

How does multi-factor authentication work?

MFA works according to a principle of layered security. By asking users to provide additional forms of identification, it increases the likelihood that the user is who they claim to be, reducing overall risk. 

Often, a user is prompted to present all of their credentials at initial login. A typical security protocol might have them submit their username and password (factor 1) and answer a security question (factor 2) before asking them to enter a one-time passcode sent to them by text or email (factor 3). Once the user completes all steps, they have access to the entire application.

What are the types of multi-factor authentication factors?

The advantage of MFA isn’t just that it asks for more than one piece of identification; it’s that it also asks for identification of different types. The most common types of authentication factors employed by MFA are:

  • Knowledge-based (things a user knows)
  • Possession-based (things a user has)
  • Inherence-based (things a user is)

Knowledge-based factors

Knowledge-based factors include information that ideally only the user will know. These include factors like:

  • Passwords are the de-facto authentication factor most people think of. Unfortunately, while passwords are designed to be information that only the user knows, hackers have a lot of ways of learning this information
  • Usernames are also knowledge-based factors. While we sometimes think of passwords as the main authentication factor, it’s really the combination of the username with the password that identifies them exclusively as a factor.  
  • Pins are very similar to passwords, except they typically draw from a smaller character-base (like numbers only) and are typically a shorter string. 
  • Security question answers like “What street did you grow up on?” or “What was the name of your first pet?” are also knowledge-based authentication factors. Unlike pins, usernames and passwords, though, these are usually a second factor and not a primary. 

Of the categories of authentication factors, knowledge-based authentication factors are generally the least secure, particularly when not paired with second or tertiary factors. 

Possession-based factors 

Possession-based factors refer to something the user has or has access to instead of knows. These include factors like:

  • Magic links, which let users instantly log in via a URL sent to a pre-registered email address
  • SMS one-time passcodes (OTPs), which ask users to enter a unique numeric or alphanumeric sequence sent by text to a recognized mobile phone number
  • Time-based one-time passcodes (TOTPs), which ask users to confirm control of their device within a certain time frame via a passcode generated by a smartphone app like Google Authenticator
  • Push authentication, which sends notifications to an app on users’ devices, asking them to approve or reject a login attempt

Inherence-based factors 

Inherence-based factors rely on biological traits unique to the user. You may also hear these referred to as biometrics or factors based on what you are. Examples of biometric factors include fingerprints, hand geometry, iris or retina recognition, voice recognition, and facial recognition. 

In customer-facing authentication, biometrics are typically paired with additional cryptographic technology. Good examples of these include WebAuthn, passkeys, and other technological standards that have come out of the FIDO alliance.

A table comparing different multi-factor authentication factors

What are the benefits and drawbacks of multi-factor authentication?

Benefits of MFA

The main benefit of MFA is security – multi-factor authentication process makes it considerably more difficult for hackers to breach a system than single-factor authentication. That’s a huge advantage, especially when you consider the exorbitant costs incurred by organizations and individuals affected by security violations. 

Drawbacks of MFA

One of the biggest drawbacks to MFA is in its effects on the user experience: in the process of making systems more secure, MFA can add some amount of friction to the system’s user experience. The good news is that can be mitigated by smart authentication design. 

Improving MFA user experience

One way to avoid undue hassle and frustration is to employ a route-based approach, in which MFA is only introduced for certain actions or transactions online. Another is to eliminate passwords as a verification factor entirely, since remembering and entering passwords are their own source of friction.

Passwordless authentication methods are simpler and faster than passwords, making user retention more likely. And because they can easily be layered in a multi-factor approach and avoid the security risks posed by weak and compromised passwords, they are inherently more secure.

Multi-factor authentication FAQs

What’s the difference between multi-factor authentication (MFA) and two-factor authentication (2FA)

MFA and 2FA are not fundamentally different. Two-factor authentication is just a subset of multi-factor authentication, which is an umbrella term for any authentication process that uses more than one verification factor. 

In other words, all 2FA is MFA, but not all MFA is 2FA, because some applications of MFA use three or more factors.

What is adaptive multi-factor authentication? Is it the same as just-in-time? 

This is a great question, as there are a few different terms that have overlapping or related meanings: 

  • Route-based authentication refers to any incremental security method, where a user must only undergo extra checks—like a second or multi-factor authentication—to carry out more sensitive tasks within an app.
  • Just-in-time (JIT) authentication is another, less technical term for route-based authentication, deriving its name from the fact that users are only asked to authenticate with additional factors at the moment the more sensitive tasks are being attempted.
  • Step-up or adaptive authentication refer to a specific type of just-in-time authentication that requires an additional authentication level specifically when trying to perform high-risk operations on an IT system

All three of these terms are important because they offer ways for companies to remove friction from MFA flows without compromising security – a key drive of conversion, adoption, and user engagement for any business model. 

Does MFA make accounts un-hackable or unphishable?

In short, no. There is virtually no authentication method or combination of methods that can guarantee 100% impenetrability from outside attacks. Just as authentication companies like Stytch are constantly innovating to improve our product, hackers are also constantly innovating to find new ways to compromise cybersecurity. 

MFA is no exception: while more secure than single-factor authentication processes, secondary factors like one-time passcodes and email magic links can be phished or stolen by attackers who are willing to put in the time. 

If phishing is a big concern for your product, it might be good to consider integrating “unphishable” authentication methods into your MFA flow – biometrics, Yubikeys, and passkeys are all much more difficult to phish or steal because they rely on inherence factors, rather than possession or knowledge.

To learn more, you can check our our article about unphishable MFA.

Is MFA the same thing as “zero trust”?

Not exactly, though they are often mentioned together:

  • Zero trust refers to an approach to cybersecurity in which no user nor device is trusted until their identity and access is verified. Every single device or user must be authenticated to gain access to a given network application, or server.
  • Multi-factor authentication has become a popular approach to zero trust because it adds a few additional layers of verification to the zero trust model. 

Put another way, zero trust is a guideline or model for how often or in what cases you authenticate, while multi-factor authentication refers to how that authentication is performed. 

Which MFA is right for my business?

At Stytch, we highly advocate for designing your authentication flows around what introduces the least amount of friction to your users, while still keeping them secure. Determining that usually varies from business to business. 

While we provide a more in-depth rundown how to choose the right MFA flow in another article, any company can start by considering three main decisions:

  1. Will you make MFA optional or require it for all users?
  2. Will you offer multiple MFA options so that users can choose what best fits their needs? How many and which options will you provide?
  3. Will you layer on?

Remember, when answering these, think about what kind of information is most at-risk or valuable that hackers might want to access, how much friction your users will tolerate, and at which junctures in their signup or login flow they’re most likely to tolerate that friction. 

Explore Stytch’s multi-factor authentication solutions

Looking for additional information on implementing secure, user-friendly, multi-factor authentication methods? Stytch has you covered. Sign up for a free account to get started, or talk to an auth expert today to discuss what MFA looks like for your product.


Get started with Stytch