Key points
- The three classic factor categories: knowledge (password), possession (phone, security key), inherence (biometric).
- Not all MFA is equal — SMS and TOTP are phishable; passkeys and FIDO2 hardware keys are phishing-resistant.
- CISA, NIST, and most cyber insurers now distinguish 'phishing-resistant MFA' as the only acceptable form for high-value access.
- MFA fatigue / push bombing attacks have made push-based MFA without number matching risky.
- Adaptive MFA only prompts for additional factors based on risk signals (new device, impossible travel, sensitive resource).
What is MFA?
Multi-factor authentication (MFA) is the requirement that a user present two or more independent factors before being granted access. The classic three categories from NIST SP 800-63:
- Knowledge — something you know (password, PIN, answer to a security question).
- Possession — something you have (phone, security key, smart card).
- Inherence — something you are (fingerprint, face, voice).
Two-factor authentication (2FA) is just MFA with exactly two factors. The terms are used interchangeably.
Why MFA matters
Microsoft has reported that MFA blocks more than 99% of automated account compromise attempts. Almost every major breach in the last decade traces back to either no MFA or weak MFA. Cyber insurance, SOC 2, HIPAA, PCI-DSS 4.0, and most enterprise procurement checklists now require MFA for privileged and remote access.
But "MFA enabled" is no longer enough. Attackers have adapted:
- SMS interception and SIM swap defeats SMS-based codes.
- Adversary-in-the-middle (AiTM) proxies like Evilginx defeat TOTP and most push approvals.
- MFA fatigue / push bombing spams the user with push notifications until they accidentally approve.
This is why CISA and NIST now talk about phishing-resistant MFA as a separate category.
MFA factor strength, ranked
From weakest to strongest:
- SMS / voice OTP — phishable, SIM-swappable. Better than nothing, not acceptable for privileged access.
- TOTP apps (Google Authenticator, Authy) — phishable via AiTM, but immune to SIM swap.
- Push notification (basic) — vulnerable to push bombing.
- Push with number matching — significantly harder to fatigue-attack.
- Passkeys / FIDO2 security keys — phishing-resistant by design. The gold standard.
When buyers care
You need MFA — and increasingly, phishing-resistant MFA — when:
- You're running anything resembling Zero Trust.
- Your cyber insurance renewal asks for it (most do now).
- You're handling PHI, payment data, or customer PII.
- You have privileged accounts that can move money or access production data — see PAM.
- You're a SaaS vendor whose enterprise buyers will refuse to deploy without MFA support.
Common pitfalls
- Allowing SMS as the only second factor for privileged accounts.
- Self-service MFA reset via help desk — a major social engineering vector. Require step-up verification.
- No fallback path — when the only registered factor is a lost phone, recovery becomes a help-desk security hole.
- Treating SSO as MFA. SSO concentrates risk; MFA at the IdP is what makes it safe.
FAQ
Is a password + a security question MFA?
Technically no — both are knowledge factors. NIST and most auditors don't count it.
Should I move from TOTP to passkeys?
For high-value access and for any workforce that handles real money or data, yes. For consumer apps, offering passkeys as a faster, more secure alternative is increasingly table stakes.
What is adaptive MFA?
A policy that decides when to require MFA based on context: new device, unusual location, accessing a sensitive resource, or a high risk score. Reduces user friction without weakening security.