Glossaire CyberArk >

Multi-factor Authentication (MFA)

Multi-factor Authentication (MFA) is an authentication method that uses two or more distinct mechanisms to validate a user’s identity, rather than relying on just a simple username and password combination. MFA helps prevent unauthorized access to applications and sensitive data, helping organizations defend against identity theft, cyberattacks, and data breaches.

Businesses use MFA to control access to internal IT systems and solutions, as well as customer-facing applications.  In the consumer world, financial services companies, healthcare providers, insurance companies, cloud solution providers, and many others use MFA to protect against data leakage, fraud, and abuse. MFA helps improve the security of traditional on-premise IT infrastructure and also helps to strengthen cloud security.

Basic Username/Password Authentication Schemes are Vulnerable to Attack

Simple authentication methods that require only username and password combinations are inherently vulnerable. Savvy attackers can guess or steal credentials and gain access to sensitive information and IT systems using a variety of techniques, including:

  • Brute force methods – using programs to generate random username/password combinations or exploit common weak passwords like 123456
  • Credential stuffing – using stolen or leaked credentials from one account to gain access to other accounts (people often use the same username/password combination for many accounts)
  • Phishing – using bogus emails or text messages to trick a victim into replying with their credentials
  • Keylogging – installing malware on a computer to capture username/password keystrokes
  • Man-in-the-middle attacks – intercepting communications streams (over public Wi-Fi, for example) and replaying credentials

Multi-factor Authentication Provides an Additional Layer of Security for Added Protection

MFA helps protect against these common attacks by requiring two or more different forms of authentication (aka authentication factors) rather than just a simple username and password combination.

Authentication factors include

  • Knowledge factors – something the user knows, such as a password or an answer to a security question
  • Possession factors – something the user has such as a mobile device or proximity badge
  • Inherence factors – something biologically unique to the user such as a fingerprint or facial characteristics
  • Location factors – the user’s geographic position

With MFA, a user must present two distinct forms of evidence—for example, something they know and something they possess—to confirm their identity. So even if a cybercriminal obtains a username and password (something the user knows), they still can’t gain access to an account without another form of evidence like a security code sent to the user’s mobile device (something the user possess).

Different examples of Multi-factor evidence include:

  • Usernames and passwords
  • Codes sent as emails or SMS messages
  • Proximity badges, physical tokens, or USB devices
  • Software tokens or certificates
  • Answers to personal security questions
  • Fingerprint, voice or facial recognition, or retina scanning

Adaptive MFA Improves User Experiences, Aligns Authentication Factors with Risks

The latest MFA solutions support adaptive authentication methods, using contextual information (location, time-of-day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation. For example, a customer accessing an online banking site from a trusted home computer might be able to log on using only a username and password. But to access the banking site from a foreign country, the user might also have to enter a one-time, short-lived code texted to their mobile phone.