+1 (877) 634-6847
Customer Support
Cybersecurity Glossary

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication, or MFA, adds another proof step beyond a password. It makes account takeover harder because a stolen password alone should not be enough to sign in.

Learn More
Glossary Index General Security
Short definition

MFA is an authentication method that requires two or more factors, such as a password, authenticator app, hardware key, push approval, one-time code, or biometric check.

At a glance: MFA is one of the most practical ways to reduce password-based account takeover, but users still need to handle prompts carefully.

Multi-Factor Authentication Meaning

Passwords are often stolen, guessed, reused, or phished. MFA reduces the value of a password by requiring another proof before access is granted.

The extra proof can take different forms. A user may approve a prompt, enter a code from an authenticator app, use a hardware security key, receive a verification message, or provide a biometric check on a managed device.

Not all MFA methods offer the same protection. Hardware security keys and phishing-resistant methods are stronger than simple SMS codes. Push prompts are useful, but users must know to deny prompts they did not start.

For business users, MFA should be treated like a security question from the system: Did you really start this login? If not, deny the request and report it.

How MFA Works

MFA checks more than one type of proof before granting access.

  1. The user enters a password. The first factor usually proves something the user knows.
  2. A second factor is requested. The system asks for a code, approval, hardware key, device check, or biometric confirmation.
  3. Context may be evaluated. Location, device health, app sensitivity, and risk signals may influence the login.
  4. Access is allowed or denied. The user gains access only if the required proof checks pass.
  5. Suspicious prompts can reveal attacks. Unexpected MFA requests may mean someone has the password and is trying to sign in.

Common MFA Examples

MFA can use different methods depending on risk and system design.

  • Authenticator app code: The user enters a time-limited code from an app.
  • Push approval: The user approves or denies a login request on a trusted device.
  • Hardware security key: A physical key proves the user has a trusted device.
  • Biometric check: A fingerprint or face unlock verifies the user on a device.
  • SMS code: A code is sent by text message, though this method can be weaker than other options.

Why MFA Matters

MFA helps protect accounts when passwords fail. If a password appears in a breach or is entered into a fake login page, the attacker still needs another factor.

It reduces risk from credential stuffing, brute force, phishing, remote access attacks, and reused passwords.

MFA also creates useful signals. Repeated denied prompts, unexpected codes, or approvals from unusual locations can reveal an active attack.

How to Use MFA Safely

MFA works best when users understand what prompts mean.

  • Deny prompts you did not start. Unexpected MFA prompts can mean someone has your password.
  • Report suspicious prompts. Security teams can check whether the account is under attack.
  • Use stronger MFA where possible. Hardware keys and phishing-resistant methods are better for high-risk accounts.
  • Protect recovery methods. Backup codes, phone numbers, and recovery email accounts should be secured.
  • Do not share codes. Support staff, coworkers, and vendors should not ask for MFA codes.

What to Do After an Unexpected MFA Prompt

An unexpected prompt is a warning sign, not an annoyance to approve.

  1. Deny the prompt. Do not approve a login you did not start.
  2. Report it immediately. Share the time, account, location details, and any related messages.
  3. Change the password from a trusted path. A prompt may indicate the password is already known to an attacker.
  4. Review active sessions. Security may need to revoke sessions, check devices, and review account activity.

Related Multi-Factor Authentication (MFA) Terms

MFA reduces risk from stolen credentials and session attacks.

Multi-Factor Authentication (MFA) Takeaway

MFA is a strong defense because it makes passwords less decisive. A stolen password should not equal access.

The human habit matters: deny prompts you did not start, never share codes, and report suspicious login activity quickly.

Navigation
Back to Glossary View Category

Share This Page

Send this glossary page to a teammate, client, or employee who needs a quick explanation.

Email Facebook LinkedIn
FAQ

Questions Teams Ask About MFA

Quick answers about multi-factor authentication, MFA methods, account protection, and prompt safety.

What is multi-factor authentication?

Multi-factor authentication requires more than one type of proof before a user can access an account or system.

What does MFA protect against?

MFA helps protect against stolen passwords, credential stuffing, brute force attacks, phishing, and unauthorized logins.

What are common MFA factors?

Common factors include something you know, such as a password; something you have, such as a phone or token; and something you are, such as a fingerprint.

Can attackers bypass MFA?

MFA reduces risk but is not perfect. Attackers may use phishing proxies, MFA fatigue, stolen sessions, malware, or social engineering.