defensiva
MFA
2FA
multi-factor authentication

Multi-Factor Authentication (MFA): What It Is and How It Works

What multi-factor authentication (MFA) is: the three factors, factor types (TOTP, FIDO2, passkeys), MFA fatigue, SIM swap and phishing-resistant MFA.

SecraJuly 6, 202611 min read

Multi-factor authentication (MFA) is the access control mechanism that requires a user to present two or more independent proofs of identity before being granted access to a system. Instead of trusting a single password (a secret that can be stolen, leaked, or guessed), MFA combines factors of a different nature, so that compromising one is not enough to impersonate the person. It is the single best cost-to-benefit control in all of identity security and the first recommendation in any serious audit.

MFA at a glance

  • MFA requires two or more factors from different categories: something you know, something you have, and something you are.
  • 2FA, two-step verification, and two-factor authentication are variants or synonyms of the same idea: MFA with exactly two factors.
  • Not all factors are equal: SMS OTP is the weakest (SIM swap), push suffers from MFA fatigue, and only FIDO2/passkeys resist phishing.
  • The dominant attacks in 2026 are push bombing, real-time phishing (adversary-in-the-middle), and session cookie theft.
  • In the EU, NIS2 and the ENS push MFA towards mandatory; the reference technical standard is NIST SP 800-63B (levels AAL2 and AAL3).

What is multi-factor authentication

Multi-factor authentication rests on a simple idea: a proof of identity is more reliable the harder it is for the same attacker to obtain several proofs at once. A password stolen in a breach, reused across ten services, or captured on a fake website leaves the account fully exposed. If, on top of the secret, you also require a physical key plugged into the laptop, the remote attacker who only has the password is left out.

The key condition is independence. Two passwords are not MFA, because they belong to the same category and are compromised in the same way. For real multi-factor, the proofs must come from different categories. That is why MFA neutralises the most common account-takeover vectors: credential stuffing, password spraying, and credential phishing.

The three authentication factors

All MFA is built on three classic factor categories. A correct deployment combines at least two of different categories.

Something you know

The knowledge factor: password, PIN, security question, or pattern. It is the most widespread and also the most fragile, because a memorised secret can be shared, guessed, leaked in a breach, or stolen through social engineering. On its own it should never be considered sufficient for sensitive access.

Something you have

The possession factor: a device under the user's physical control. This covers the smartphone that receives a push notification, the app that generates time-based codes, the smart card, and above all the FIDO2 security key (a YubiKey, for example). Possession raises the bar sharply because it forces the attacker to hold the object, not just a data point.

Something you are

The inherence factor: biometrics such as fingerprint, face, or voice recognition. In practice biometrics are used as a local unlock of the device or the key (Touch ID, Windows Hello, Face ID), not as data that travels over the network. The sensor confirms that whoever operates the possession factor is its owner, and that is its most robust role.

MFA, 2FA, two-step verification, and two-factor authentication: clearing up the terms

These terms cause a lot of confusion, much of it driven by marketing. It helps to nail down the vocabulary:

  • MFA (multi-factor authentication) is the general concept: two or more factors from different categories.
  • 2FA (two-factor authentication) is the specific case of MFA with exactly two factors. All 2FA is MFA, but not all MFA is 2FA.
  • Two-step verification is the loosest term. It usually describes two sequential steps that are not always from different categories (password plus a code sent to your email, for example, where that mailbox may be protected only by another password). Depending on how it is implemented, it is weak MFA or not MFA at all.

The distinction matters in audits: ticking a "two-step verification" box with password plus an emailed code does not equal robust MFA and does not meet the expectations of frameworks such as NIS2 or PCI DSS 4.0 for critical access.

Factor types and their security level

Not all second factors offer the same protection. This is the real 2026 hierarchy, from weakest to strongest:

FactorCategoryStrengthMain weakness
SMS / SMS OTPPossessionLowSIM swap, SS7 interception, real-time phishing
Email OTPPossession (weak)LowDepends on mailbox security, forwarding, phishing
TOTP (authenticator app)PossessionMediumPhishing (user types the code on a fake site), poorly stored seed
Push notificationPossessionMediumMFA fatigue, push bombing, careless approval
Push with number matchingPossessionMedium-highReduces push bombing, but not AiTM phishing
FIDO2 key / WebAuthn / passkeyPossessionHighPractically immune to phishing thanks to origin binding
Local biometrics + FIDO2Inherence + possessionVery highNeeds compatible hardware and a good recovery flow

TOTP (Time-based One-Time Password, defined in RFC 6238 on top of the HOTP of RFC 4226) generates six-digit codes that change every 30 seconds from a shared seed. Apps such as Aegis, Microsoft Authenticator, or FreeOTP implement it. It is a clear security jump over SMS, but it is still phishable: if the user enters the code on a fake page, the attacker relays it to the legitimate service within seconds.

Attacks against MFA: fatigue, push bombing, and SIM swap

An account having MFA does not make it invulnerable. Attackers have developed specific techniques against each factor type.

MFA fatigue and push bombing. When the second factor is a push notification that only asks "Approve" or "Deny", the attacker who already has the password fires dozens of requests in a row. Sooner or later the user, annoyed or confused, taps "Approve". That is how Lapsus$ got into Uber in 2022. The mitigation is number matching (the app shows a number that must be typed on the login screen) and rate limiting on requests.

SIM swapping. The attacker convinces the carrier to port the victim's number to a SIM they control, and from then on receives every SMS OTP. This is the fundamental reason NIST classifies SMS as a "restricted" authenticator in SP 800-63B.

Real-time phishing (adversary-in-the-middle). Kits like Evilginx2 or EvilProxy act as a reverse proxy between the victim and the real service. They capture the password, the TOTP code, or the push approval, and steal the already-authenticated session cookie. With that cookie the attacker gets in without going through MFA again. This vector defeats almost every classic factor and is why the industry is pushing towards phishing-resistant MFA. To recognise these pages, see our guide on how to avoid phishing.

Phishing-resistant MFA: FIDO2, WebAuthn, and passkeys

Phishing-resistant MFA is the class of factors that cannot be captured or relayed by an intermediary. Today there are two real families: public-key cryptography based on FIDO2/WebAuthn, and PKI solutions with smart cards (PIV, CAC), common in government and military environments.

FIDO2 combines the W3C WebAuthn standard (the browser API) with CTAP2 from the FIDO Alliance (the dialogue with the key). Its decisive property is origin binding: the key signs a challenge tied to the real domain, verified by the browser. If the user is on a phishing domain, the signature does not match and authentication fails, without the user needing to notice the deception. There is no shared secret to type, so there is nothing a proxy can steal.

Passkeys are discoverable FIDO2 credentials that can also sync across devices in the same ecosystem (Apple, Google, Microsoft) through an encrypted keychain. They combine phishing resistance with a passwordless experience: the user approves with local biometrics and that is it. For how these pieces relate to the rest of the identity stack, see what is IAM and the Zero Trust guide, where identity becomes the new perimeter.

Rolling out MFA in the enterprise: NIS2, ENS, and conditional access

At the corporate level, MFA has moved from recommendation to requirement. NIS2 (article 21.2) requires access control and robust authentication measures from essential and important entities, and Spain's National Security Framework (ENS) captures it in its OP.ACC domain. PCI DSS 4.0 mandates MFA for all access to the cardholder data environment, and NIST SP 800-63B defines levels AAL2 (two factors) and AAL3 (which in practice requires a phishing-resistant cryptographic authenticator and verification of device possession).

An enterprise rollout is not just about flipping a switch. The key pieces are:

  • Conditional access. Platforms such as Entra ID Conditional Access, or equivalent policy engines, adjust the MFA requirement by risk: location, device compliance, application sensitivity, and behaviour. A low-risk session passes with minimal friction; an anomalous one demands re-verification or is blocked.
  • Full coverage. MFA must also cover legacy protocols (IMAP, POP3, basic SMTP) that often bypass it, and administrator accounts, which are the priority target.
  • Secure recovery. Reset flows and backup factors are the most attacked point. A good rollout avoids email as the only fallback and prefers more than one FIDO2 key per privileged user.
  • Session protection. Against cookie theft, short-lived tokens and device binding help. The same token-validation logic applies to APIs: see what is JWT and its security and, for federation, what is SAML.

The pragmatic roadmap is: MFA for everyone as a baseline, passkeys or FIDO2 keys for privileged and higher-risk accounts, and conditional access to modulate friction without punishing productivity.

Frequently asked questions

Is MFA the same as 2FA?

Not exactly. MFA is the general concept of requiring two or more factors from different categories. 2FA (or two-factor) is the specific case with exactly two factors. All 2FA is MFA, but a deployment with three factors is MFA without being 2FA. In everyday use they are treated almost as synonyms, but technically 2FA is a subset of MFA.

Is SMS MFA secure?

It is better than password alone, but it is the weakest form of MFA. SMS is vulnerable to SIM swapping, to interception through SS7 protocol flaws, and to real-time phishing. NIST classifies it as a "restricted" authenticator in SP 800-63B. It works as a minimum for low-risk services, but for corporate, administrator, or financial accounts you should migrate to TOTP and, better still, to FIDO2 or passkeys.

What is phishing-resistant MFA?

It is MFA that cannot be intercepted or relayed by an intermediary. In practice that means FIDO2/WebAuthn (passkeys and security keys) or PKI with smart cards. Its strength lies in origin binding: the key only signs for the legitimate domain, so a phishing site gets nothing usable. It is CISA's recommendation for high-value accounts.

Does MFA replace the password?

With passkeys, it can. A passkey combines possession (the device) and inherence (local biometrics) without a memorised secret, so the password disappears. In classic deployments, by contrast, MFA is added to the password as a second factor. The 2026 trend is "passwordless first" wherever the application supports it, with a password fallback only on legacy systems.

Does NIS2 require MFA?

NIS2 does not spell out "MFA" in those letters, but its article 21.2 requires access control and robust authentication measures from essential and important entities, and in practice that translates into MFA for remote and privileged access. The ENS reinforces it in the OP.ACC domain. In an audit, not having MFA on critical access is a finding that is hard to justify today.

MFA with Secra

At Secra we help B2B organisations deploy and harden their authentication. As part of our managed cybersecurity we design the MFA model that fits your stack (Microsoft, Google, Okta, hybrid), prioritise privileged accounts with phishing-resistant factors, configure conditional access, and validate real resilience against MFA fatigue and AiTM phishing through controlled exercises.

If your organisation is evaluating an MFA rollout, a migration to passkeys, or alignment with NIS2 and the ENS, contact Secra and we will schedule an initial session with no commitment.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article