Skip to content

Everything You Need to Know About Multi-Factor Authentication

June 25, 2020

multi-factor authentication

Consider how much of your life takes place on a computer or a mobile device.

You check your email, log into your social media accounts, and enter your credit card number after some online shopping. Every time we share sensitive data like passwords and banking information online,  it becomes increasingly important to find ways to strengthen our online cybersecurity efforts.

Each and every one of our digital accounts is at risk for a breach, which is why it’s crucial to add an extra level of protection with multi-factor authentication (MFA).

While MFA combines any total number of authentication factors to validate someone’s identity, the most common is two is two-factor authentication (2FA). Additionally, MFA can be triggered by a failed two-step authentication process or some kind of suspicious user behavior.

This is common for 2FA systems capable of MFA. It may also just be required for additional security when accessing more important files or sensitive data, such as health or financial records.

Additional layers of security in the log-in process can provide peace of mind that your personal information will stay protected and out of the wrong hands.

How does multi-factor authentication work?

It’s important to note that there are two main types of multi-factor authentication.

  • Application MFA: The authentication process that activates when a user attempts to gain access to one or more applications.
  • Device MFA: The authentication process that immediately activates MFA at the point of login to a system.

Although they are separate processes, MFA is basically the same for both types. When a user tries to gain access to something, (phone, laptop, server, etc.) they are met with multi-factor authentication and are forced to enter two or more authentication factors. If the factors are deemed correct by a core identity provider (IdP), they will be granted access.

One of the most asked for authentication factors is your phone number. Usually, with MFA, you enter in your username and password upon login and then a unique code that is sent via text message.

This proves that you remember both your username and password, but also that you are in possession of your smartphone, which is “registered” as a device to receive these types of codes.

What are authentication factors?

An authentication factor is a category of credentials to identify verification. When these factors are used in MFA, every additional factor increases the certainty that the person attempting to access the account is who or what they declared to be.

Your credentials fall into three different categories:

  • Knowledge: Something only the user knows such as their password or pin number.
  • Possession: Something only the user has such as a smartphone or a hardware token.
  • Inherence: Something that is only of that user such as their fingerprint or their voice.

For example, when logging into a banking app on a smartphone, the app texts the user a code to type in before they can access their account. This method of MFA falls under the “something you know” category, as it’s a PIN number the user has to enter before they are able to fully connect to their online bank account.


The Discover Card app takes it one step further by asking for “something you are” upon login – a fingerprint.


Or, think about when you go to the gas station to fill up your tank. After you swipe your credit card, the machine at the pump asks that you enter in your zip code. This would fall under “something you know” and is an older type of MFA.

Adaptive authentication

More current authentication factors consider the context of the login behavior.

For example, the system may recognize that a hacker is signing in from a strange location thousands of miles away, or notice that a new device is attempting to access your account. The system also takes note of the time you attempt login and the type of network you are accessing. If any of these factors appear out of the ordinary, adaptive authentication will be triggered. 

Adaptive authentication leverages artificial intelligence and machine learning to note any strange logins on your account. Any atypical behavior (logging in from a new location or at odd hours) will make the system send out additional verifications such as facial ID or email codes. 

Over time, adaptive authentication will learn the patterns of the user and eventually stop requiring them to verify their identity if they begin to frequent a new location or use a new device more and more. 

Tip: Don't get your cybersecurity terms mixed up. Multi-factor authentication is a form of risk-based authentication, but they are not the same thing.

Types of multi-factor authentication

You may only use two or three types of multi-factor authentication when accessing online accounts, but did you know that there are a number of different types? 

Email codes

These codes will be sent to the user requesting access through email. Receiving a code through your email is one of the most common types of MFA and can be a good option if your phone is lost, stolen, or simply in another room. 

Text tokens

A text token is identical to an email code, just through a different means of communication. Receiving text tokens is an easy option to implement and can be used by virtually anyone.

After you enter your username and password, a one-time password (OTP) in the form of a pin number will be sent to your phone. The number acts as the second authentication factor and is entered on the next page/screen.

Biometric verification

Biometric verification can be anything from fingerprint identification to facial recognition. Users with smart devices or computers can take advantage of this technology to further strengthen their online protection.

Using biometric verification is usually less of a hassle than a one-time password and can make MFA a breeze rather than a burden. 

Hardware tokens

While the previous three types of MFA have been virtual, a hardware token is physical. This token is considered one of the most secure methods of MFA but can be more expensive.

Many companies will offer hardware tokens to their highest-value users in order to keep them as a customer. Typically, a hardware token is the best option to protect things like your banking, insurance, and investment information. 

Users will insert the token into the device or computer to access information. If they want to access information on a mobile device, they may need a USB or USB-C “dongle”.

The only downside? You have to keep track of where the token is, and if you misplace it or forget it at home, you won’t be able to access your accounts. 

Security questions

You’ve probably come across security questions when setting up your bank account or school portal. Security questions are static and are considered a type of knowledge-based authentication (KBA). As you set up an account, you may be asked to set a security question.

Some example security questions are: 

  • What was the name of your first pet?
  • What street did you grow up on?
  • What is your mother’s maiden name?
  • What was your childhood nickname?

When accessing your account, you will enter your username and password and then be asked to provide an answer to the security question. Stronger versions of KBA (called dynamic KBA) are generated in real-time based on records such as recent transactions and credit history. 

Although security questions are a common form of multi-factor authentication, they can be compromised easily. If someone does enough online investigating through your social media accounts, they may be able to piece together some of the answers to your questions.

Other multi-factor authentication examples can include:

  • Retina or iris scanning
  • One time smartphone application codes
  • Behavioral analysis
  • USB devices, badges, other physical devices

The more types of multi-factor authentication you have implemented, the more secure your sensitive data becomes. Even if a hacker has access to two out of three types, they will still be unable to move forward and your MFA process will have been proven successful.

Why use multi-factor authentication?

While some feel like this process is a minor inconvenience, or it takes too long to set up, it’s worth it in the long run to have a higher level of security. In 2016, roughly one billion accounts and records were compromised worldwide, which equals out to be about three for every American citizen. MFA can help prevent this.

The ultimate goal of MFA is to create a line of defense between your information and hackers. MFA makes it much more difficult for unauthorized people to gain access. While they may know your password, they won’t be able to recreate a second authentication factor (your fingerprint, a text code, an answer to a security question). 

In the past, MFA systems implemented just a two-factor authentication but with the increasing number of cyberattacks, people are resorting to using two or more factors for additional layers of protection. Although we cannot prevent all online crime, taking simple steps like using 2FA or MFA can massively reduce the chance of hacking. 

If MFA is available, you should use it –especially when it comes to your most sensitive information such as your financial accounts, health records, and your primary email address.

Related: Interested in taking your security efforts even further? Browse our list of the best cybersecurity software providers that protect against hacking, viruses, and other threats.

MFA security

Just how secure is multi-factor authentication? Security ultimately depends on dedication. If you’re willing to take the time to enter multiple authentication factors in to access your account, you may lose a minute of your day, but you’ll be better protected in the long run. 

Additionally, trickier passwords (especially a variety of tricky passwords) are your best bet when it comes to account security. If you’re looking to beef up your MFA process, you can do any of the following:

  • Ask your bank to implement multi-factor authentication.
  • Try to avoid authenticating your identity through social verification as they are at most risk to be hacked.
  • Do your research on which MFA methods will work best for you.

Achieving 100% security will never happen, but if you’re proactive with your online security, even the smartest hackers won’t be able to steal your personal information. 

Benefits of multi-factor authentication

Nowadays, people expect multi-factor authentication to be apart of any account setup. It’s been integrated into the modern customer service experience and is now the standard for basic online security. 

People love MFA because: 

  • It provides a higher level of protection than just a username and password.
  • Users may feel more valued by companies that use MFA.
  • MFA can connect with single sign-on software and give users a more simplified and secure login process.

At the end of the day, it’s only getting more dangerous to keep confidential information online or in the cloud. The rise of multi-factor authentication has eased the minds of customers and companies alike and has significantly strengthened overall protection against unauthorized users.

Tip: If you’re ready to find the perfect solution to keep your information safe, browse the top multi-factor authentication tools on G2.

Two is better than one

And three is even least when it comes to your security efforts. More and more websites, services, and apps are taking advantage of two, or even three, factor authentication as an added layer of protection.

The next time you sign up for an account, make sure you take the extra few minutes to set up MFA and protect all of your sensitive data.

Want to learn more about hacking? Discover how spear phishing works and how you can protect yourself from being an easy target.

Never miss a post.

Subscribe to keep your fingers on the tech pulse.

By submitting this form, you are agreeing to receive marketing communications from G2.