What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication, or MFA, protects your applications by using a second source of validation before granting access to users. Common examples of multi-factor authentication include personal devices, such as a phone or token, or geographic or network locations. MFA enables organizations to verify the identities of users before they can gain entry to critical systems.

Why is multi-factor authentication needed?

As organizations digitize operations and take on greater liability for storing customer data, the risks and need for security increase. Because attackers have long exploited user login data to gain entry to critical systems, verifying user identity has become essential.

Authentication based on usernames and passwords alone is unreliable and unwieldy, since users may have trouble storing, remembering, and managing them across multiple accounts, and many reuse passwords across services and create passwords that lack complexity. Passwords also offer weak security because of the ease of acquiring them through hacking, phishing, and malware.

What are some examples of multi-factor authentication?

Cloud-based authenticator apps such as Duo are engineered to provide a smooth login experience with MFA. They are designed to integrate seamlessly within your security stack. With Duo, you can:

  • Verify user identities in seconds
  • Protect any application on any device, from anywhere
  • Add MFA to any network environment

How does multi-factor authentication work?

MFA requires means of verification that unauthorized users won't have. Since passwords are insufficient for verifying identity, MFA requires multiple pieces of evidence to verify identity. The most common variant of MFA is two-factor authentication (2FA). The theory is that even if threat actors can impersonate a user with one piece of evidence, they won't be able to provide two or more.

Proper multi-factor authentication uses factors from at least two different categories. Using two from the same category does not fulfill the objective of MFA. Despite wide use of the password/security question combination, both factors are from the knowledge category--and don't qualify as MFA. A password and a temporary passcode qualify because the passcode is a possession factor, verifying ownership of a specific email account or mobile device.

Is multi-factor authentication complicated to use?

Multi-factor authentication introduces an extra step or two during the login process, but it is not complicated. The security industry is creating solutions to streamline the MFA process, and authentication technology is becoming more intuitive as it evolves.

For example, biometric factors like fingerprints and face scans offer fast, reliable logins. New technologies that leverage mobile device features like GPS, cameras, and microphones as authentication factors promise to further improve the identity verification process. Simple methods like push notifications only require a single tap to a user's smart phone or smart watch to verify their identity.

How do organizations start using MFA?

Many operating systems, service providers, and account-based platforms have incorporated MFA into their security settings. For single users or small businesses, using MFA is as simple as going to settings for operating systems, web platforms, and service providers and enabling the features.

Larger organizations with their own network portals and complex user-management challenges may need to use an authentication app like Duo, which adds an extra authentication step during login.

How do MFA and single sign-on (SSO) differ?

MFA is a security enhancement, while SSO is a system for improving productivity by allowing users to use one set of login credentials to access multiple systems and applications that previously may have each required their own logins.

While SSO works in conjunction with MFA, it does not replace it. Companies may require SSO--so corporate email names are used to log in--in addition to multi-factor authentication. SSO authenticates users with MFA and then, using software tokens, shares the authentication with multiple applications.

What is adaptive authentication?

In adaptive authentication, authentication rules continuously adjust based on the following variables:

  • By user or groups of users defined by role, responsibility, or department
  • By authentication method: for example, to authenticate users via push notification but not SMS
  • By application: to enforce more secure MFA methods--such as push notification or Universal 2nd Factor (U2F)--for high-risk applications and services
  • By geographic location: to restrict access to company resources based on a user's physical location, or to set conditional policies restricting use of certain authentication methods in some locations but not others
  • By network information: to use network-in-use IP information as an authentication factor and to block authentication attempts from anonymous networks like Tor, proxies, and VPNs

Optimal access security with Duo MFA

Download our free guide and discover Duo's customizable MFA solutions.

Benefits of multi-factor authentication

Improved trust

The costs of hacking and phishing attacks can be high. Because MFA helps secure systems against unauthorized users--and their associated threats--the organization is more secure overall.

If organizations are hesitant to ask users to comply with tighter security, they should consider that users themselves--especially customers--may appreciate the extra security for their data. When customers trust a vendor's security protections, they are more likely to trust the organization overall, which means MFA becomes an important competitive advantage.

Reduced costs

Successful defenses against attacks can provide a return on investment that covers the expense of an MFA solution--for example, preventing a costly and damaging attack on network resources. Even without preventing attacks, MFA can save organizations money by allowing IT departments to deploy resources to protect other parts of networks from different threats.

Easier logins

As multi-factor authentication technology advances, making greater use of passive methods like biometrics and software tokens, it becomes more user-friendly. Easy-to-use MFA processes help users log in more quickly, so workers can be more productive.

In e-commerce, login problems can mean lost sales. User-friendly MFA processes that improve the user experience can help customers log in and, therefore, purchase products.

MFA methods


Knowledge--usually a password--is the most commonly used tool in MFA solutions. However, despite their simplicity, passwords have become a security problem and slow down productivity.

Users today have too many passwords; to ease their management, users create passwords that are not secure or that are used repeatedly across platforms. Another disadvantage is that the knowledge can be forgotten or, if stored somewhere, stolen.

The security question--another knowledge method in wide use but falling out of favor--requires the user to store the answer to a personal question in their profile and then enter it during login. This process is seen as onerous by many users because of the need for repeated data entry and storing and managing their answers.

The dynamic security question, which is more effective and user-friendly, typically asks for contextual information the user has access to, such as a recent financial transaction.


Physical factors--also called possession factors--use tokens, such as a USB dongle or a portable device, that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the advantage of being readily available in most situations.

On the plus side, physical factors are outside the network and usually difficult to spoof. But devices like phones can be lost or stolen, and mobile networks can present their own security vulnerabilities.

Virtual "soft" tokens are a cookie or piece of code stored in a way that effectively turns a device into a physical token. Soft tokens may not be suitable for all users since they require software and expertise to use properly. In addition, soft tokens can be copied, which could lead to unauthorized use.

The U2F standard combines a USB or near-field communication (NFC) token with an open-standard application, providing a simple way to use additional authentication factors with platforms that support them.


This category includes biometrics like fingerprint, face, and retina scans. As technology advances, it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are reliably unique, always present, and secure, this category shows promise.

However, not all devices have the necessary software, processing power, and hardware features (such as microphones and cameras), so some users may not be able to take advantage of these advances in MFA usability and security.

Location-based and time-based

Authentication systems can use GPS coordinates, network parameters, and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these data points with historical or contextual user data.

These factors have the advantage of operating in the background, with very little input required of users, which means they don't impede productivity. However, since they require software and expertise to use, they are mostly suitable for large organizations with the resources to manage them.

Time-based one-time password (TOTP)

This is generally used in 2FA but could apply to any MFA method where a second step is introduced dynamically at login upon completing a first step. The wait for a second step--in which temporary passcodes are sent by SMS or email--is usually brief, and the process is easy to use for a wide range of users and devices. This method is currently widely used.

On the operational side, two-step authentication requires the use of software or an outside vendor to provide the service. As with the use of mobile devices as physical tokens, mobile networks can introduce their own security issues.

The security key is generally a QR code that the user scans with a mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes expire after a certain period of time, and a new one will be generated the next time a user logs in to an account.

Social media

In this case a user grants permission for a website to use their social media username and password for login. This provide an easy login process, and one generally available to all users.

But social media networks are often the target of online criminals because they provide a rich source of user data. In addition, some users may have concerns about the security and privacy implications of sharing logins with social media networks.

Risk-based authentication

Sometimes called adaptive multi-factor authentication, this method combines adaptive authentication and algorithms that calculate risk and observe the context of specific login requests. The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.

For users with many logins for various systems, risk-based authentication can be a key time-saver. However, it requires software that learns how users interact with a system and IT expertise to deploy and manage.

Push-based 2FA

Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security while improving ease of use. It confirms a user's identity with multiple factors of authentication that other methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi, users must have data access on their mobile devices to use the 2FA functionality.