Multi-Factor Authentication (MFA)

What is Multi-Factor Authentication and Why Should You Use It?

Multi-Factor Authentication (MFA) can feel like an extra step when you are simply trying to log in.

You may need to wait for a text message, open an authenticator app, or approve a notification on your phone. It can add a few seconds when all you want to do is check your balance, shop online or pay a bill.

Those few seconds, however, can make the difference between keeping your account secure and becoming a victim of cybercrime.
Passwords alone are no longer enough. MFA adds another layer of protection, making it much harder for criminals to access your accounts—even if they already know your password.

Here is what MFA is, how it works, and which authentication methods offer the strongest protection.


What is MFA?

Multi-Factor Authentication (MFA) is a security process that requires two or more forms of verification before granting access to an account.

 

You may also hear the term 2FA (Two-Factor Authentication). While 2FA specifically uses two verification methods, MFA is a broader term that includes two or more factors.

Authentication factors generally fall into three categories:

  • Something you know: A password, PIN or security question.
  • Something you have: A mobile phone, hardware security key or smart card.
  • Something you are: Biometrics like a fingerprint, face scan or voice recognition.
By combining multiple factors, MFA creates additional layers of security that help confirm you're really the right person trying to access the account.
 

Why MFA Matters

Cybercriminals use phishing emails, malware, data breaches, and other scams to steal usernames and passwords. Once they have your password, accessing your account can be surprisingly easy—unless MFA is enabled.

A 2023 Microsoft study showed how effective MFA can be:

  • 99.99% of automated account attacks were blocked on MFA-protected accounts.
  • MFA reduced the risk of account compromise by 98.56%, even when login credentials (usernames, passwords, etc.) had already been exposed.
  • Authentication apps, passkeys, and biometrics provided stronger protection than SMS text messages, although any MFA is far better than none.
MFA creates what security experts call “acceptable friction.” The extra verification step makes your account a less attractive target and may cause attackers to move on to someone with weaker security.

For the full Microsoft study, see MFA-Microsoft-Research-Paper-update.pdf.
 

How Criminals Try to Bypass MFA

MFA comes in different forms, but not all MFA methods are created equal. Some are far more resistant to phishing, social engineering, and technical exploits.

While MFA dramatically improves your security, no authentication method is completely foolproof. Criminals continue to develop techniques to trick users into approving unauthorized login attempts.

Here are some of the most common attacks:

Phishing Attackers trick users into revealing credentials and MFA codes or approving MFA requests through fake login pages, SMS, or emails. Phishing can take many forms. Learn more about Phishing and how to protect yourself at Spot Phishing.
SIM Swapping A criminal convinces your mobile carrier to transfer your phone number to a device they control, allowing them to receive your text message verification codes or push-based MFA codes.
MFA Fatigue or Push Bombing Attackers flood users with MFA notifications hoping the user will just get tired of it and approve the login attempt out of frustration or confusion.
Man-in-the-Middle Attacks Cybercriminals intercept information between you and a website using fake Wi-Fi networks or fraudulent websites, allowing them to capture login credentials and authentication tokens.

Understanding these tactics can help you recognize suspicious activity before it becomes a problem.
 

Comparing Common MFA Methods

Not every MFA option provides the same level of protection. Here's how they compare.

MFA Method Security Level Pros Cons
Email, Text Message (SMS) and Voice-Based MFA
A one-time PIN (OTP) is sent to your email address or mobile phone.
Basic
  • Familiar and easy to use.
  • Supported by most websites.
  • Vulnerable to phishing attacks.
  • Can be intercepted through SIM swapping.
  • If your email account is compromised, attackers may gain access to verification codes, password reset emails and everything else in your email account.
Authenticator Apps / App-Based One-Time PIN
Apps such as Microsoft Authenticator, Google Authenticator, Authy or Okta generate time-based verification codes on your device.
Good
  • More secure than text messages.
  • Free and widely available.
  • Not dependent on your mobile carrier.
  • Requires opening a separate app.
  • Codes can still be stolen through sophisticated phishing attacks.
Push Notifications
Instead of entering a code, you simply approve or deny a login request from your phone.
Better
  • Fast and convenient.
  • Often allows approval using biometrics or a PIN.
  • Can be abused through MFA fatigue attacks if users approve unexpected requests.
Hardware Security Keys
A small physical device is plugged into or tapped against your computer or phone during login.
Excellent
  • Extremely resistant to phishing.
  • Uses advanced cryptographic protection.
  • One of the strongest MFA options available.
  • Must be purchased.
  • Easy to misplace if not kept secure.
  • Setup can be challenging for non-technical users, and getting locked out of the key may make account recovery difficult or impossible.
Passkeys and FIDO2
Passkeys eliminate passwords entirely by using cryptographic keys securely stored on your device and verified with your fingerprint, face or PIN.

Learn more about Passkeys at Meet Passkeys.
Best Available
  • No passwords to steal.
  • Highly resistant to phishing.
  • Uses devices you already own.
  • Fast and simple once configured.
  • Not yet supported by every website or service.
 

The Bottom Line

If you have not enabled Multi-Factor Authentication yet, now is the time.

Even the simplest form of MFA can dramatically reduce your risk of account compromise. Whenever possible, choose stronger options such as authenticator apps, passkeys, or hardware security keys.

Most importantly, remember:

A legitimate financial institution, retailer or online service will never ask for your password, PIN or MFA verification code. If someone contacts you requesting that information, it is almost certainly a scam.

That small pause during login is a simple but powerful way to protect your personal information and your finances.