Request a Demo
HR & Payroll Glossary

Multi-Factor Authentication (MFA)

Summary Definition: A cybersecurity measure requiring users to provide two or more verification factors to log into an account, system, or network.

What is MFA?

Multi-factor authentication (MFA) is a form of cybersecurity that requires users to verify their identity using two or more authentication factors before accessing an account, system, or network.

These factors typically include a knowledge factor (e.g., a memorized PIN), a possession factor (e.g., a one-time code or secure mobile app), or a biometric factor (e.g., a fingerprint).

Also referred to as dual-factor Authentication or two-factor authentication (2FA) when only two data points are involved, MFA significantly reduces the risk of unauthorized access, protecting sensitive data from cyber threats like password breaches.

Key Takeaways

  • Multi-factor authentication is an added layer of cybersecurity requiring users to provide additional credentials when logging into an account or system.
  • Examples of multi-factor authentication can include a security question answer, fingerprint, hardware token, or temporary code from an MFA application.
  • Even the strongest and most phishing-resistant MFA measures are susceptible to social engineering attacks, such as MFA fatigue.  

Why Does Multi-Factor Authentication Matter?

Multi-factor authentication is an essential safeguard against increasingly capable and advanced online threats. Since passwords can be guessed, stolen, or reused across multiple sites, cybercriminals frequently exploit them to breach accounts.

MFA security addresses and reduces this risk by requiring additional verification steps (e.g., a fingerprint, security key, or one-time code), thus making it significantly harder for attackers to succeed, even if they have a password.

In other words, this extra layer of security further protects sensitive personal and business data, including HR or payroll information. This is why business partners or service providers prioritizing data security and privacy sometimes integrate robust MFA solutions into broader access management tools.

How Multi-Factor Authentication Works

Multi-factor authentication requires the use of additional credentials to verify a user’s identity. The process begins with users entering standard login credentials (i.e., username and password). If correct, the system will prompt for an additional authentication factor depending on the type of MFA setup.

When verified, users can sometimes expedite future login attempts by directing the MFA program to remember the device or internet browser in use as a “trusted” source and bypass the verification process.

MFA Fatigue

While formidable, multi-factor authentication tools are still susceptible to forms of social engineering, such as MFA Fatigue. Also referred to as MFA bombing, MFA fatigue attacks exploit a user’s frustration by repeatedly sending fake authentication requests.

Attackers flood a user with numerous login prompts, often through push notifications, hoping the target will eventually approve one out of annoyance. By taking advantage of a user’s familiarity with routine MFA app requests, this tactic relies on human error rather than technical vulnerabilities.

Organizations can mitigate such attacks by informing and educating users on legitimate multi-factor authentication processes and ways to identify fake requests.

Learn More: How to Prevent Phishing Scams at Your Organization

Types of MFA

Online multi-factor authentication factors generally fall into one of three categories based on whether the credential is something the user knows, has, or is. MFA tools often use multiple factor types, making unauthorized access even more difficult.

Factor Type Factor Details Factor Examples
Knowledge Factor Something the user knows
  • Secondary PIN or code
  • Security question answer
Possession Factor Information or items the user has
  • Generated code on an MFA authenticator app
  • One-time code sent via text or email
  • Hardware token attached to or near the device
Inherence Factor A user’s physical characteristic(s)
  • Facial recognition
  • Fingerprint

Learn More: Best Practices for Developing Your Corporate Password Policy

Adaptive MFA

Unlike standard MFA programs, which apply the same verification factors to all users, adaptive multi-factor authentication (a.k.a. risk-based authentication) evaluates contextual factors to determine a login attempt’s risk level and corresponding security requirements. Such factors can include the login’s:

  • Geolocation
  • Device type
  • IP address
  • Time of access

For example, if a user logs in from a trusted device at their usual time and place, they may only need to enter their password. If, however, the system detects a login attempt from a foreign country or on an unfamiliar device, it’ll request additional credentials.

Related Glossary Terms

25-0601000402-asset-management-full-width

Unify HR and IT

Managing employee accounts can feel cumbersome and manual, but it's essential to ensure your team has the right access to the software they need to be productive. Without a unified process in place, this accountability is fragmented between HR data and IT systems, leading to inefficiencies and heightened security risks.

Learn More