What is MFA (Multi-Factor Authentication): a complete guide

LoginMaster

MFA (Multi-Factor Authentication) is a security method that requires two or more independent proofs to verify the identity of whoever is signing in, so that a stolen password alone is not enough to get in.

What is multi-factor authentication

With a password alone, access depends on a single secret: if it is guessed, reused or stolen through phishing, the account is compromised. MFA adds one or more verification factors of a different nature: even if an attacker knows the password, they lack the second factor needed to complete the sign-in. It is one of the controls with the best ratio of effort to risk reduction.

The three authentication factors

An authentication factor always belongs to one of these three categories. MFA's strength lies in combining different categories: two passwords are not MFA.

  • Something you know: password, PIN, answer to a secret question.
  • Something you have: smartphone with an authenticator app, hardware token, passkey.
  • Something you are: fingerprint, facial recognition (biometrics).

How MFA works, step by step

The typical flow of an MFA-protected sign-in unfolds in a few stages:

  • The user enters the first factor (usually username and password).
  • The system asks for a second factor: a one-time code, an approval on an app, a passkey or biometrics.
  • Access is granted only if both factors are valid.

The most common MFA methods

Authenticator apps (TOTP)

An app generates a one-time code (TOTP) that changes every 30 seconds. It is more secure than SMS and does not require network coverage.

Passkeys and hardware tokens

Passkeys (the FIDO2/WebAuthn standard) and hardware tokens are the most phishing-resistant factors, because they bind authentication to the legitimate domain and share no reusable secret.

SMS codes

Better than a password alone, but vulnerable to SIM swapping and interception: best used as a fallback, not as the primary factor for sensitive access.

Adaptive MFA: security without needless friction

Adaptive MFA applies factors based on the risk of the context — device, location, time, operation sensitivity — asking for a second factor only when needed. This raises security on risky sign-ins without slowing down low-risk operations. See how LoginMaster's adaptive multi-factor authentication works.

MFA and compliance (NIS2, GDPR, ISO 27001)

Multi-factor authentication on sensitive and remote access is among the requirements expected by the NIS2 directive and is a recognized measure for GDPR and ISO 27001 too. MFA is also a pillar of the Zero Trust model, where every access request must be verified.

MFA in LoginMaster

LoginMaster offers configurable 2FA/TOTP and adaptive MFA that can be enabled by project, role or sensitivity level, integrated with SSO for Google Workspace and Microsoft Entra ID. See all the platform features or talk to our team via contact us.

Frequently asked questions

2FA requires exactly two factors; MFA requires two or more. Every 2FA is also MFA, but MFA can combine more than two factors for the most sensitive scenarios.

Passkeys (FIDO2/WebAuthn) and hardware tokens are the most secure because they resist phishing. Authenticator apps (TOTP) are a good compromise; SMS codes are the weakest.

The NIS2 directive expects multi-factor authentication on sensitive and remote access. It is also a recognized measure for GDPR and ISO 27001.

It is MFA that asks for the second factor only based on the risk of the context (device, location, operation sensitivity): more security where needed, less friction where risk is low.

Want to see LoginMaster in action?

Request a personalized demo and discover how to manage identities and access securely and compliantly.