← All glossary terms Glossary

What is Multi-Factor Authentication (MFA)?

A sign-in security control that requires something beyond a password — typically a phone, security key, or app prompt.

Multi-Factor Authentication (MFA) requires more than one form of evidence that you are who you say you are. The two most common combinations are password plus phone (text code or app prompt) or password plus hardware security key. MFA is the single most effective control against credential theft — the vast majority of account-takeover attacks fail when MFA is in place. Note that not all MFA is equal: phishing-resistant factors like FIDO2 security keys defeat attack patterns that simple SMS codes do not.

  • Requires two or more independent proofs of identity, so a stolen password alone isn't enough.
  • Blocks the large majority of automated account-takeover attacks.
  • Phishing-resistant factors (FIDO2 keys, passkeys) are far stronger than SMS codes.

En français

Authentification multifacteur (AMF)

Un contrôle de connexion qui exige plus qu'un mot de passe — généralement un téléphone, une clé de sécurité ou une application.

L'authentification multifacteur (AMF, ou MFA en anglais) exige plus d'une preuve de votre identité. Les combinaisons les plus courantes sont le mot de passe plus le téléphone (code par texto ou notification d'application) ou le mot de passe plus une clé de sécurité matérielle. L'AMF est le contrôle le plus efficace contre le vol d'identifiants — la vaste majorité des attaques de prise de contrôle de compte échouent lorsqu'elle est en place. Notez que tous les facteurs ne se valent pas : les clés FIDO2 résistantes à l'hameçonnage déjouent des attaques que les simples codes par texto ne bloquent pas.

Multi-Factor Authentication (MFA): frequently asked questions

What is the difference between MFA and 2FA?

2FA is MFA with exactly two factors. MFA is the broader term covering two or more. In everyday use the words are often interchangeable.

Is MFA unbreakable?

No. Attackers use MFA-fatigue prompts, phishing proxies, and SIM swaps to get around weaker factors like SMS. Phishing-resistant options such as hardware security keys and passkeys close most of those gaps.

Want to talk through how this fits your environment?

Book a no-obligation consultation and we'll explain how this plays out for an organization like yours.

Talk to our team