What is Multi-Factor Authentication (MFA)?

How MFA prevents attacks from cybercriminals

What does MFA mean?

How does Multi-Factor Authentication work?

Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires other—additional—credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.

MFA is an effective way to provide enhanced security. Traditional usernames and passwords can be stolen, and they’ve become increasingly more vulnerable to brute force attacks. MFA creates multiple layers of security to help increase the confidence that the user requesting access is actually who they claim to be. With MFA, a cybercriminal may steal one credential but will be thwarted by having to verify identity in a different manner.

Examples of Multi-Factor Authentication include using a combination of these elements to authenticate:

  • Codes generated by smartphone apps
  • Badges, USB devices, or other physical devices
  • Soft tokens, certificates
  • Fingerprints
  • Codes sent to an email address
  • Facial recognition
  • Retina or iris scanning
  • Behavioral analysis
  • Risk score
  • Answers to personal security questions

Types of authentication factors

When it comes to MFA, we typically refer to three types of authentication factors:

  • Things you know (knowledge), such as a password or PIN
  • Things you have (possession), such as a badge or smartphone
  • Things you are (inheritance), indicated through biometrics, like fingerprints or voice recognition

The latest MFA solutions incorporate additional factors by considering context and behavior when authenticating. For example:

  • Where you are when trying to obtain access, such as a cafe or home
  • When you are trying to access, like late at night or during the workday
  • What device you’re using, such as a smartphone versus a laptop
  • What kind of network are you accessing, like private or public

Often called Adaptive Authentication, this type of MFA takes context into account to flag logins that are out of the ordinary. When a person tries to authenticate in an unusual context, Adaptive MFA may tighten security by requesting additional credentials. For example, if a user is logging in from a cafe late at night—and this is not typical for that user—the MFA tool may require the user to enter a code texted to the user’s phone.

Thanks for signing up.

We’ve sent a verification email to

To complete your trial sign up, please check your email and follow instructions to verify. You may need to check your spam. You will be prompted to set up a password and log in. Please note that your user name is your email address.

Get Started in 3 Easy Steps:

Try OneLogin Free for 30 days

All fields are required

  • This field is required.
  • Please enter your first name
  • Please enter your last name
  • Please enter your job title
  • Please enter your phone number
  • Note: Please enter a work email address only as we DO NOT accept web-mail addresses (gmail, yahoo, hotmail, etc.)

    Is that a correct business email address?
  • Please enter company name
  • .onelogin.com
    Please choose another subdomain
  • Please enter number of employees
  • Please enter country
  • Please enter state
  • By completing and submitting this form, I agree to the storing and processing of my personal data by OneLogin as described in our Terms of Service and Privacy Policy.

  • By creating your account, you agree to the Terms of Service and Privacy Policy.

Related Resources:

OneLogin MFA

OneLogin’s MFA solution helps protect against unauthorized access to critical corporate data.

Learn More

How MFA Prevents Breaches

Multi-Factor Authentication can protect against many different, common types of cyberattacks.

Read More

MFA Solution Checklist

Find out what to look for in a Multi-Factor Authentication solution.

View Checklist