🔐 Multi-Factor Authentication Explained: How MFA Works in 2026
On this page
Multi-factor authentication (MFA) is one of the most effective security controls available today. According to Microsoft, accounts using MFA are 99.9% less likely to be compromised. Yet despite this statistic, the Verizon 2026 Data Breach Investigations Report (DBIR) found that over 50% of breaches involving stolen credentials occurred on accounts that did not have MFA enabled. Understanding how MFA works, and which factors provide real protection, is essential for anyone serious about cybersecurity.
The NCSC (National Cyber Security Centre) describes MFA as "your single most effective defence against password theft." This guide explains the three authentication factors, how different MFA methods compare for security versus convenience, and how to choose the right setup for your needs.
The Three Authentication Factors
MFA works by requiring evidence from at least two different categories (or "factors") before granting access. The three recognised factors are defined by NIST SP 800-63B, the US government's digital identity guidelines:
| Factor | Category | Examples | Security Level |
|---|---|---|---|
| Something you know | Knowledge | Password, PIN, security question | Low (can be stolen, guessed, phished) |
| Something you have | Possession | Phone, security key, smart card | Medium-High (attacker needs physical access) |
| Something you are | Inherence | Fingerprint, face scan, voice | Medium (can be spoofed but hard to scale) |
A true MFA system combines factors from at least two of these categories. A password (knowledge) plus an SMS code (possession) is proper MFA. A password plus a security question is NOT — both are knowledge factors.
SMS-Based Authentication (SMS OTP)
This is the most common MFA method: after entering your password, you receive a 6-digit code via text message. NIST SP 800-63B has been actively discouraging SMS-based MFA since 2017, citing the risk of SIM-swapping attacks. The FBI IC3 reported a 400% increase in SIM-swapping complaints between 2020 and 2025.
Despite these risks, SMS MFA is still far better than no MFA at all. The security improvement over password-only authentication is significant — it stops automated credential-stuffing attacks, bulk phishing campaigns, and most remote attackers. The vulnerability is primarily to targeted attacks where an attacker calls your mobile carrier and convinces them to transfer your number to a SIM card they control.
Authenticator App-Based MFA (TOTP)
Time-based One-Time Password (TOTP) apps like Google Authenticator, Microsoft Authenticator, and Authy generate 6-digit codes that change every 30 seconds. These codes are generated on your device, not sent over SMS, which eliminates the SIM-swap vulnerability.
TOTP apps are significantly more secure than SMS because:
- Codes never traverse the mobile network
- No phone number is involved — attackers cannot redirect your codes
- The shared secret (seed) is stored encrypted on your device
- Most apps support encrypted cloud backup (mitigating device loss)
The ENISA recommends TOTP as the minimum MFA standard for personal accounts. Services like Kaspersky Password Manager integrate TOTP codes into their encrypted vault, keeping your passwords and 2FA tokens in one secure place. For enterprise deployments, the OWASP recommends enforcing hardware-backed TOTP where the seed is stored in device secure enclave (Apple Secure Enclave, Android TEE).
Push Notification MFA
Push-based MFA sends a notification to your phone asking you to approve or deny a login attempt. This is the model used by Microsoft Authenticator, Duo Security, and Keeper. The user experience is excellent — you tap "Approve" or "Deny" without typing a code.
However, push fatigue (also called MFA bombing) is an emerging attack where attackers repeatedly trigger push notifications until the user, annoyed, accidentally approves one. The NCSC recommends adding a number matching requirement: the push notification shows a number that the user must enter on the login screen, making accidental approval impossible.
Hardware Security Keys (FIDO2 / WebAuthn)
Hardware security keys like YubiKey and Google Titan are the gold standard for MFA. These physical devices connect via USB, NFC, or Bluetooth and perform cryptographic challenge-response authentication. Phishing is mathematically impossible against WebAuthn keys because the key validates the website's origin before responding.
Key benefits of hardware security keys include:
- Phishing-resistant — the key will not authenticate against a fake website
- No codes to type — just touch the key to authenticate
- No battery or network needed — works even offline
- FIPS 140-2 certified — meets government security standards
The Google Security Blog reported that after switching to hardware security keys for all 85,000+ employees, the company experienced zero successful phishing attacks against those accounts. The CISA now recommends FIDO2 security keys as the preferred MFA method for all federal agencies. For teams needing secure internal communication, TrekMail combines encrypted messaging with MFA-ready authentication.
Biometric Authentication
Fingerprint scanners, facial recognition, and voice authentication fall under the "something you are" factor. Biometrics offer excellent convenience but have distinct security limitations:
Strengths: Fingerprints and face scans cannot be forgotten or easily shared. They are always "with you," eliminating the need to carry a separate device.
Limitations: Unlike passwords, biometrics cannot be changed if compromised. A leaked fingerprint database affects every service using that biometric — you cannot get a new set of fingerprints. The ICO has expressed concerns about biometric data storage practices, particularly with cloud-based matching systems.
Best practice: use biometrics as a convenience layer on the device (unlocking your phone to use a password manager) but not as a primary authentication factor sent over a network. Local biometric matching (on-device) is far more secure than cloud-based biometric verification.
How to Choose Your MFA Setup
| Security Level | Recommended Setup | Best For |
|---|---|---|
| Basic | Password + SMS or TOTP app | General consumer accounts |
| Enhanced | Password + TOTP app on separate device + backup codes | Social media, email, banking |
| High | Password + hardware security key (FIDO2) | Cryptocurrency, admin accounts, developer access |
| Maximum | Hardware key + biometric + backup keys | Enterprise admin, code signing, CI/CD access |
For password managers that support MFA — and they all should — enable TOTP authentication using an authenticator app rather than SMS. The OWASP recommends using a dedicated authenticator app rather than a built-in password manager's MFA to maintain genuine factor separation.
FAQs
Is SMS-based MFA better than no MFA?
Yes. Despite SIM-swapping risks, SMS MFA blocks 99% of automated attacks and bulk phishing attempts, according to Microsoft. Upgrade to an authenticator app when you can, but don't avoid MFA entirely just because SMS has vulnerabilities.
Can MFA be bypassed by hackers?
Yes, through targeted techniques like SIM-swapping, push fatigue (MFA bombing), or real-time phishing proxies (evilginx). However, these require significant attacker effort and targeting. For the vast majority of users, enabling MFA eliminates the risk of account compromise from credential stuffing, password reuse, and bulk phishing.
What happens if I lose my phone with my authenticator app?
This is why backup codes are essential. Every service that supports MFA provides one-time backup codes when you enable it. Store these in your password manager or print and store them somewhere safe. Without backup codes, account recovery typically requires identity verification with the service provider.
Should I use the same authenticator app for everything?
For personal use, one authenticator app is fine. For high-value accounts (email primary, cryptocurrency, admin access), consider using a separate authenticator app or a hardware security key. This provides genuine factor separation: even if someone compromises your phone, they can't authenticate into your most critical accounts.
What is passkey and is it MFA?
Passkeys (based on FIDO2/WebAuthn) are passwordless authentication where a cryptographic key pair replaces the password entirely. A passkey is NOT MFA by itself — it replaces the password factor. When combined with a biometric or PIN to unlock the passkey, it becomes MFA (possession of the key + inherence of biometric).
Affiliate Disclosure: This post may contain affiliate links. If you purchase through these links, we may earn a small commission at no extra cost to you. Full disclosure.