anavem.
Back to Glossary
M

MFA (Multi-Factor Authentication)

MFA (Multi-Factor Authentication) is a security mechanism that requires users to verify their identity using two or more independent factors before access is granted.

What is MFA?

Multi-Factor Authentication (MFA) is an authentication method that strengthens account security by requiring multiple proofs of identity instead of relying on a single password. These factors typically fall into three categories: something you know (password, PIN), something you have (smartphone, hardware token, smart card), and something you are (biometrics such as fingerprint or facial recognition). Access is granted only when the required combination of factors is successfully validated.

Why MFA matters

MFA significantly reduces the risk of:

  • Account takeover from stolen passwords
  • Phishing-based credential compromise
  • Brute-force and credential-stuffing attacks
  • Unauthorized access to cloud and SaaS platforms

Most modern security frameworks consider MFA mandatory for privileged and remote access.

Common MFA methods

Widely used MFA implementations include:

1) Authenticator apps

  • Time-based one-time passwords (TOTP)
  • Push notifications for approval

2) Hardware security keys

  • FIDO2 / U2F keys
  • Phishing-resistant authentication

3) SMS or voice codes (legacy / weaker)

  • Susceptible to SIM-swapping and interception

4) Biometrics

  • Fingerprint, facial recognition, iris scanning

MFA vs strong authentication

MFA improves security but is not infallible:

  • MFA can be bypassed via MFA fatigue, session hijacking, or token theft
  • Passwordless and phishing-resistant MFA provide stronger guarantees
  • MFA must be combined with monitoring and policy enforcement

Security effectiveness depends on factor quality, not just factor count.

MFA and phishing

While MFA mitigates many phishing attacks, it does not eliminate them:

  • MFA fatigue attacks trick users into approving requests
  • OAuth token theft can bypass MFA
  • Adversary-in-the-middle (AiTM) attacks capture session cookies

Phishing-resistant MFA methods (for example FIDO2) are recommended for high-risk accounts.

MFA in enterprise environments

In corporate IT, MFA is commonly enforced for:

  • Cloud services (Microsoft 365, Google Workspace)
  • VPN and remote access
  • Privileged accounts and admin portals
  • DevOps pipelines and API access

Conditional Access policies often determine when and how MFA is required.

Common misconceptions

  • “MFA makes accounts unhackable”
  • “Any MFA is equally secure”
  • “MFA protects against all phishing attacks”
  • “SMS MFA is sufficient for admins”

Best practices for MFA

Effective MFA deployment includes:

  • Enforcing MFA for all users, especially admins
  • Using phishing-resistant factors where possible
  • Limiting MFA prompts with risk-based policies
  • Monitoring MFA failures and unusual prompts
  • Educating users about MFA fatigue attacks