Back to glossary

Glossary term

Multi-Factor Authentication (MFA)

A security mechanism requiring users to verify their identity through two or more factors before gaining access, typically something they know, something they have, or something they are.

A security mechanism requiring users to verify their identity through two or more factors before gaining access, typically something they know, something they have, or something they are. MFA significantly reduces the risk of unauthorized access even when credentials are stolen.

Why MFA Exists

Multi-Factor Authentication requires more than a password to log in. You know your password. You also have your phone, your hardware key, or your fingerprint. When access requires at least two of these, a stolen password alone cannot get an attacker in.

Microsoft's research shows MFA blocks more than 99.9% of account compromise attacks. Most credential-based breaches rely on stolen or guessed passwords. MFA makes a stolen password nearly useless without the second factor.

The tradeoff is friction. MFA adds a step to every login. Modern implementations have reduced that friction considerably: push notifications take two seconds, biometrics take one, and hardware keys are nearly instant. The security gain against the friction cost is not a close call.

Types of MFA Factors

Factors fall into three categories.

  • Something you know: a password, PIN, or security question.
  • Something you have: a smartphone for push notifications or time-based one-time passwords (TOTP), or a hardware key like a YubiKey.
  • Something you are: a fingerprint, facial recognition, or retinal scan.

The strength varies by method. SMS-based codes are better than nothing but vulnerable to SIM-swapping attacks. Authenticator app codes (TOTP) are stronger. Hardware security keys are the strongest widely-deployed option, resistant to phishing because a fake login page cannot intercept the hardware key response.

MFA Fatigue

As MFA adoption has spread, attackers have adapted. MFA fatigue attacks send dozens of push approval requests in rapid succession, hoping the user will approve one just to make it stop. Modern MFA systems include fraud detection for unusual request volumes. Number-matching, where the user confirms a number shown on the login screen before approving, prevents blind approvals and has become the recommended approach for push-based MFA.

MFA for Remote and Distributed Teams

Remote work made MFA more critical. Employees log in from home networks, cafes, airports, and hotel rooms, environments with no IT-controlled perimeter. Every access request comes from an untrusted network, which means identity verification must be rock-solid. MFA is the primary control that makes accessing company systems from anywhere workable without sacrificing security.

Related terms

Browse adjacent topics in the same workflow area.

Identity and Access Management (IAM)Single Sign-On (SSO)Endpoint Management

Share this term

Copy a direct link for your team or documentation.

Explore more glossary terms

Keep exploring the glossary without leaving the section.

PCaaS (PC-as-a-Service)

A subscription model for computers that bundles the device, deployment, support, and end-of-life disposal into a per-seat monthly fee. PCaaS extends the Device-as-a-Service model specifically to the PC fleet.

Privileged Access Management (PAM)

The set of controls used to manage, monitor, and secure high-privilege accounts and systems. PAM limits who can use administrative credentials, under what conditions, and with what oversight.

Remote IT Management

The tools, processes, and practices used to manage, support, and secure IT assets and users who are not physically present in the office. Essential for distributed, hybrid, and remote-first organizations.

Role-Based Access Control (RBAC)

A method of restricting system access based on a user's role within an organization. RBAC assigns permissions to roles rather than individuals, so access rights are managed at scale without custom configuration for each person.