Security Answers in Plain English: What is Multi-Factor (or Two-Factor) Authentication?

January 9, 2018


What is Multi-Factor (or Two-Factor) Authentication?

"Companies like SecureAuth provide multi-factor authentication when I log in, and my bank and other websites have started using it.  What is it, exactly, and why do I need to take an extra step?"

Your bank, Facebook, and lots of other sites (including your company) are using multi-factor authentication (MFA) to make your systems and online activity more secure.  At its heart, MFA is simply a way to help ensure that the person trying to log into a resource is who they say they are, by going beyond the username and password alone.

Here's how it works:

1 - You go to log into a site or application.  You provide your username and password (sometimes just the username).

2 - Your login request is routed to a system to see if it knows who you are already.  Some characteristics which may be checked are: The device you're currently using, your physical location, if you are connecting over a Virtual Private Network (VPN), if you're using an anonymizing service like TOR or others, etc.

3 - If the system cannot confirm that you are who you appear to be, or if there's any question as to you being who you are, then it asks you to provide another factor (which is where Multifactor Authentication gets its name) to prove your identity.  Factors range from a One Time Passcode (OTP) that can be delivered by text message or read from a smartphone app, a push request sent to your smartphone or some other challenge that requires you have some other device in your physical possession.

4 - If you didn't get asked for your password before, you enter it now.

5 - You're successfully logged in.

Multifactor Authentication is based on the idea that in addition to something you know (your username and password), you also prove who you are with something you have (a smartphone, etc.) or something you physically are (a fingerprint, facial recognition, etc.).  The combination of these factors helps to ensure that the person typing in the username and password is who they say they are because they also have access to the additional factor.

The reason MFA is becoming popular is because usernames and passwords aren't particularly secure anymore. Not only do people re-use passwords on multiple sites, but many also choose passwords that are either easy to guess or are short enough to be guessed by trial-and-error.  Since a simple username and password combination is no longer enough to prove identity, looking for some other factor is a logical next step.  We carry mobile or smartphones with us everywhere these days; so text messages with an OTP or an app that can receive a push alert are popular MFA options that don’t inconvenience the user. Smartphones are also quickly becoming capable of using fingerprints and other biometrics as identity factors - and as such, sites and applications are beginning to accept those for MFA too.

Note that some systems don't check to see if they recognize you before prompting for MFA, so you might get challenged every time you log in.  That's inconvenient, so more and more systems are switching to a more adaptive authentication workflow. That means users go through fewer MFA challenges while not sacrificing security.

MFA systems are becoming more and more popular as passwords get less and less secure, so don't be surprised if sites and companies that didn't use them before start using them now.  If your IT department needs you to use MFA for corporate access, they're trying to keep your data and your identity safe.  It only takes a few extra seconds, but can save the company millions by avoiding a data breach.

Security Answers in Plain English is a regular column here on the SecureAuth blog, aimed to help end-users understand why IT Security enforces policies and how to best protect themselves in a digital world. If you have a question for this blog, email us at and let us know!


  • Product: IdP

Suggested reads

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!