Multifactor Authentication: What It Is and How It Works

The Neeva Team on 10/26/21

Securing your digital identity can feel daunting—especially as data breaches, identity theft, and hacks become more common. But here’s some good news: There are steps you can take to greatly reduce the chances of your account being compromised, even if they get a hold of your username and password. One increasingly popular method? Multifactor authentication (MFA), also known as two-step verification.

Securing your digital identity can feel daunting. But here’s some good news: There are steps you can take to greatly reduce the chances of your account being compromised, even if they get a hold of your username and password. One increasingly popular method? Multifactor authentication, also known as two-step verification.

There are different ways to use MFA, and all of them can keep your accounts and personal information safer than relying on usernames and passwords alone. Here’s how multifactor authentication generally works to keep fraudsters from hijacking your online accounts.

What is Multifactor Authentication?

Multifactor authentication (MFA) is an identity verification method that relies on more than one type of authenticating information. If you’ve tried to log in to an account and had to enter a code that was sent to your phone or email, that’s a very basic form of MFA in action. Similarly, you’re using MFA when you use your debit card and PIN to withdraw cash from an ATM.

Why it’s important

Multifactor authentication is a simple way to help keep accounts, devices, and apps secure. The multi-pronged approach means that even if someone gets one set of credentials, such as your username and password, they won’t necessarily be able to log in to your account.

As data breaches have exposed millions of usernames, passwords, Social Security numbers, and other personally identifiable information (PII), adding extra authentication requirements is an essential part of internet safety. (You can check if your information has been compromised on

How it works

Multifactor authentication relies on a person knowing or having at least two different types of credentials. The commonly used authentication factors fall into three categories:

  • Something you know (knowledge). Such as your username, password, PIN, or account number.
  • Something you have (possession). Such as a mobile phone, card, or hardware token.
  • Something you are (inherence). Such as biometric data from your fingerprint or retina.

For example, when you pay for gas at a gas station pump, you may need to insert or tap your card (something you have) and enter your billing address’s ZIP code (something you know). Or, if you’re making a purchase on a mobile device, you could need to know the account information to log in to the app store and verify the purchase using your fingerprint or face.

Multi Factor vs. two-factor authentication (2FA)

In some cases, 2FA and MFA could refer to the same thing. However, two-factor authentication (2FA) is a type of MFA that requires two different authentication factors, while MFA could require more than two.

An account that has 2FA enabled is usually more secure than an account with single-factor authentication (SFA). However, while adding additional factors with MFA might increase security, it’s also a limited benefit as too many factors can decrease usability.

Multifactor vs. two-step authentication

Two-step authentication requires you to take an additional step to authenticate, but that step could be within the same type of authentication factor. For example, if you’re using airline miles to book a flight over the phone, the call center representative might ask you to confirm your account number, address, and email. This is an added step but all of the factors are part of the “something you know” category. This kind of two-step authentication—in which the steps in the authentication process are within the “knowledge” category—is known as a knowledge-based authentication (KBA) system.

Because the authentication steps are part of the same type, two-step is not as secure as 2FA or MFA.

Other types of MFA factors

The three categories of MFA factors—knowledge, possession, and inherence—are generally what you’ll encounter as a user.

However, some organizations use adaptive or risk-based authentication approaches. These may rely on contextual indicators or organizational rules to determine if and when they should ask someone for additional credentials. The approach can help businesses that want to stop scams and fraud, but don’t want legitimate customers to become so frustrated by the verification requirements that they stop using a product or service.

The additional MFA factors could include:

  • Location. Such as where your device is located or what network it’s connected to when you try to log in to an account.
  • Device details. Such as whether you’ve used this device to log in to the account before.
  • Behavior. Such as when you’re trying to sign in or what you’re trying to access.

Adaptive and risk-based systems’ criteria may change over time, which is one reason you might be only required to use MFA on your first login attempt or when you get a new device. However, some accounts give you the option of requiring MFA with every login attempt.

How to set up MFA to help keep your accounts secure

Enabling MFA is an important step in protecting your identity and accounts. It’s a security feature offered by most email providers, banks, and other internet service providers who deal with sensitive personal information.

MFA is now a fairly standard requirement in the workplace, and it’s more essential than ever to implement in your personal internet usage as well. To do so, you’ll likely need to go into your account settings to manually enable it.

There are three popular additional verification methods you can usually choose from:

  • Phone-based authentication. You’ll get sent a text message or receive an automated call with a code. This tends to be the simplest additional verification method, but it’s not the most secure—because scammers may be able to use a SIM swap attack to have the text or call sent to their phone instead.
  • Authenticator app. Some accounts have an accompanying verification app that you can install on your mobile device. Or, you may be able to use a free third-party app, such as Authy, Duo, Google Authenticator, or Microsoft Authenticator. The app may generate time-based one-time passwords (TOTPs) that change every 30 or 60 seconds, or it might send you a push notification allowing you to permit or deny the login request.
  • Hardware tokens. Physical devices that need to be connected to your computer or that generate TOTPs. The advantage is that they don’t require a phone or internet connection. However, they’re usually not free, and there’s a risk that the device could be stolen or lost.

If your account already has your phone number listed, enabling MFA may be as simple as checking a box. Using authenticator apps or hardware tokens can be a little more difficult as you may need to install an app and scan a QR code or enter the code from the other device. However, those methods are more secure than text- or phone-based MFA.

Even with MFA turned on, you also need to be wary of social engineering attempts. A attacker might pose as a company representative and ask you to share your authentication code with them.

Pros and cons of multifactor authentication

The primary advantage of MFA is added security—but it’s not foolproof, and there is a usability downside.


  • Adds a layer of security to your account.
  • Decreases susceptibility to certain types of attacks and hacks.
  • Doesn’t allow fraudsters to use information from a data breach alone to access accounts.
  • You can use an offline hardware authenticator if you don’t have a reliable phone or internet connection.


  • Can make logging in to your account more difficult.
  • Some accounts don’t allow you to turn on MFA.
  • Can still be susceptible to social engineering and some hacks.
  • You may have to pay for authentication hardware devices.

Simplifying MFA

While MFA is an advisable security measure, usage still isn’t widespread. A recent security report from Twitter found that while the company offers several MFA options, only 2.3% of active Twitter accounts had at least one form of MFA enabled from July to December 2020.

If you’re hesitant to sign up for MFA, consider some of the ways you can simplify the process:

  • Verify your devices after using MFA to sign on. In some cases, you may be given the option to have an account to remember your device for a specific time, such as 30 days. You won’t need to use MFA again until the next period, or if someone tries to log in to the account from a different device.
  • Use push authentication when it’s offered. Push notifications may be more secure than SMS-based authentication, and easier to use than apps that generate changing codes or hardware tokens.
  • Enable SMS authentication. While it’s not the most secure option, it doesn’t require using any additional apps or devices, and for most people it’s sufficient.

Even if you’re not ready to turn MFA on for every account, consider using MFA for the accounts that contain your most sensitive personal and financial information, such as your online bank and credit card accounts.

Are you ready for a safer, more private search experience? Neeva is the world’s first private, ad-free search engine, committed to showing you the best result for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at