What is multi-factor authentication (MFA / 2FA)?
Multi-factor authentication (MFA) requires more than just a password for sign-in by combining at least two independent factors — such as knowledge (password) and possession (one-time code on a smartphone). Two-factor authentication (2FA) is the special case with exactly two factors and makes unauthorised access considerably harder.
Also known as: MFA · 2FA · two-factor authentication · OTP · one-time password
Where MFA / 2FA is used
MFA protects sign-ins in case a password is stolen or guessed. Typically, factors from three categories are combined: knowledge (password), possession (smartphone, token) and inherence (fingerprint, face). Only the combination of multiple factors makes access significantly harder to attack.
A common second factor is a time-based one-time password (OTP) from an authenticator app. Recovery codes are used in addition, in case the second factor is lost. Modern methods such as passkeys go even further but are deliberately introduced in a staged way depending on a project's maturity.
A practical example
For a SaaS platform, sign-in is secured with MFA: after username and password, users confirm their identity via a time-based one-time password (OTP). In case the second factor is lost, recovery codes are available. More convenient but more complex methods such as passkeys are deliberately disabled at first to keep the launch simple and controlled.
How it relates & how smiit uses it
2FA is the special case of MFA with exactly two factors; MFA is the umbrella term. MFA is closely linked to IAM and Keycloak, since the identity solution enforces the additional factors, and it is a central building block of IT security. For Claimity AG, smiit implemented MFA via OTP with recovery codes and deliberately disabled passkeys at first — a pragmatic, secure configuration through Keycloak.
Common mistakes & misconceptions
- MFA and 2FA are often treated as the same; strictly speaking 2FA is a special case of MFA using exactly two factors, while MFA covers two or more.
- Many consider SMS codes secure; however, they are vulnerable to SIM swapping and interception and are regarded as the weakest MFA factor compared to app or hardware tokens.
- There is a misconception that MFA makes phishing impossible; modern attacks bypass it via MFA fatigue or real-time phishing proxies, which is why phishing-resistant methods matter.
Frequently asked questions
What is the difference between MFA and 2FA?
2FA uses exactly two factors, MFA at least two and is therefore the umbrella term. Every 2FA is an MFA, but MFA can also involve more than two factors.
What happens if I lose my second factor?
For that there are recovery codes, generated during setup and kept securely. They allow access to be restored without fundamentally weakening security.
Is an SMS secure enough as a second factor?
SMS codes are better than no second factor at all, but they are considered less secure because they can be intercepted, for instance by redirecting the phone number. Authenticator apps with time-based one-time passwords or methods such as passkeys offer a higher level of protection.
What are passkeys and how do they differ from an OTP?
Passkeys are a passwordless method based on cryptographic key pairs, where no code is typed and nothing interceptable is transmitted. Unlike a time-based one-time password (OTP), they are more resistant to phishing, but they require supporting devices and a little more setup effort.
Is MFA worthwhile for small teams too?
Yes. Protection against stolen or guessed passwords is valuable regardless of team size, and the setup effort is low. Especially for accounts with access to sensitive data, MFA is considered one of the most effective and inexpensive measures.
Related terms
Sources & further reading
Want to put this topic to work in your company?
Updated · Back to the glossary