What Is Multi-Factor Authentication?
Multi-factor authentication, or MFA, is an authentication system that requires more than one distinct type of factor before it lets you in. A password alone is one factor, and passwords get stolen, guessed, and phished every day. Add a second factor of a different kind, and a stolen password is no longer enough on its own. That is the entire idea, and it is one of the highest-value controls a security program has.
Multi-factor authentication, or MFA, is an authentication system that requires more than one distinct type of factor before it lets you in. A password alone is one factor, and passwords get stolen, guessed, and phished every day. Add a second factor of a different kind, and a stolen password is no longer enough on its own. That is the entire idea, and it is one of the highest-value controls a security program has.
The strength comes from combining different kinds of proof, not from stacking two of the same.
The three authentication factors
NIST identifies three classic factors. MFA means using two or more of different types, so that defeating one does not defeat the login.
How strong is strong enough
| Level | Confidence | Requires |
|---|---|---|
| AAL1 | Basic | Single-factor authentication, though MFA is recommended. |
| AAL2 | High | Two distinct factors through a secure protocol; a phishing-resistant option must be offered. |
| AAL3 | Very high | Two factors using a hardware-based authenticator with verifier impersonation (phishing) resistance. |
Not all authentication is equal. NIST grades the strength of the process using Authentication Assurance Levels, from basic to very high, and ties the highest levels to phishing resistance.
[[INSIGHT: A biometric feels like the strongest factor, but NIST does not treat it as a secret. Your fingerprint is something you are, not something only you know, so it counts only when bound to a device you physically hold. The hardware is doing more of the work than the finger.]]
- MFA requires more than one distinct type of authentication factor.
- The three factors are something you know, something you have, and something you are.
- A biometric is not a secret and must be paired with a physical authenticator.
- NIST assurance levels run AAL1 (basic) to AAL3 (very high, hardware and phishing-resistant).
- Phishing-resistant authenticators stop secrets from being captured by an impostor verifier.
Frequently asked questions
What is multi-factor authentication?
An authentication system that requires more than one distinct type of factor to sign in. It can use one multi-factor authenticator or combine single-factor authenticators that provide different factor types.
What are the three authentication factors?
Something you know (a password or PIN), something you have (a security key or device), and something you are (a biometric like a fingerprint). MFA combines two or more different types.
What are NIST authentication assurance levels?
AAL1 gives basic confidence with single-factor auth; AAL2 gives high confidence with two factors and a phishing-resistant option; AAL3 gives very high confidence requiring a hardware-based, phishing-resistant authenticator.
What makes an authenticator phishing-resistant?
Its protocol prevents disclosing authentication secrets and valid outputs to an impostor verifier, without relying on the user’s vigilance. NIST also calls this verifier impersonation resistance.
