Principles and Identity

Multi-Factor Authentication (MFA)

Require 2+ factors (knowledge, possession, inherence) to reduce credential risk.

Where you will see it: Used when designing and operating access control, authentication, authorization, and identity lifecycle.

What it is

Multi factor authentication is an authentication method that requires at least two different factors, such as something you know, something you have, or something you are. It can be implemented with a single authenticator that combines factors or with multiple authenticators that provide distinct factors.

Key points
  • Prefer WebAuthn/passkeys where possible.
  • Fallback to TOTP or push; avoid SMS.
  • Apply step‑up MFA for risky actions.

How it works in broad strokes

  1. Choose factor combinations that match risk, for example a phishing resistant device based factor for admins.
  2. Bind authenticators to accounts securely and design recovery so it does not become the weakest link.
  3. Monitor MFA events and failures to detect phishing, push bombing, and token theft patterns.

Concrete example

A finance admin signs in using a password plus a hardware backed authenticator. Risky actions such as changing bank details require step up authentication. Account recovery requires verified identity and cannot be completed with email access alone.

Why it matters

Passwords get phished, reused, and leaked. MFA raises the cost of account takeover and helps defend privileged access and remote access pathways that attackers target first.

Security angle

  • Prefer phishing resistant methods for high risk accounts and actions, not just any second factor.
  • Rate limit and alert on repeated failures and unusual MFA prompts to catch abuse quickly.
  • Harden account recovery and enrollment because attackers often bypass MFA by abusing recovery flows.

Common pitfalls

  • Assuming any second factor is equally strong, even when it is easy to phish or intercept.
  • Allowing fallback to password only for convenience, which creates an attacker shortcut.
  • Underestimating social engineering and notification fatigue attacks against push based MFA.

DEEP DIVE

Factors, authenticators, and what actually counts as MFA

MFA is about distinct factors, not simply multiple steps. A password plus a second password is still one factor. The classic categories are something you know, something you have, and something you are.

NIST guidance describes MFA as requiring more than one distinct authentication factor, either through a multi factor authenticator or through combining authenticators that provide different factor types. That distinction helps you evaluate whether a method truly adds independent assurance.

Strength differences and phishing resistance

Not all MFA is equal. Some methods are highly resistant to phishing and replay, while others can be intercepted or socially engineered. The key question is whether an attacker can capture the factor and reuse it from another device or session.

For high risk access, prioritize methods that are resistant to credential phishing and session replay. This is especially important for privileged accounts, remote access, and access to sensitive data.

Lifecycle and recovery are part of the control

Real deployments fail when recovery is weak. If an attacker can reset MFA using a compromised email inbox or a help desk script, then the second factor becomes optional in practice.

Treat enrollment, device changes, and recovery as high risk events. Apply additional verification, monitoring, and waiting periods where appropriate, and log them as first class security events.

Operational realities and common attack patterns

Push fatigue attacks exploit human behavior by flooding users with approval prompts. SMS based codes can be vulnerable to interception and account takeover of phone numbers. TOTP codes can still be phished in real time if the attacker controls the flow.

Defenders should combine MFA with risk signals, such as device posture and anomaly detection, and should alert on patterns like repeated denials, new device enrollment, or sign ins from unusual locations.

How to start and improve iteratively

Start by enabling MFA for the accounts that matter most: administrators, remote access users, and accounts with access to sensitive data. Use the strongest authenticator options available for those groups, then expand coverage to the broader workforce.

Next, refine policy with step up authentication for high risk actions and strengthen recovery. Over time, you can measure reductions in account takeover incidents and use that evidence to drive adoption of more phishing resistant methods.