What Is Multi-factor Authentication (MFA) and How Does It Protect You?

Multi-factor authentication adds various layers of extra security to your accounts. Let’s talk about how it works and commonly used multi-factor authentication methods.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

A username-password combination is easy to break. To protect your accounts and assets, you need additional layers of security, and that’s where multi-factor authentication (MFA) comes into play.

Take a phishing page, for example. When you input your details into a phishing page, the hacker receives the exact information you entered. Using a strong password doesn’t help you here.

However, a hacker needs to break through additional security barriers once you enable multi-factor authentication, making it harder to gain unauthorized access. That’s one of the reasons why top password managers require users to set up MFA. In this guide, we dive into the basics of multi-factor authentication, how it works, and why you need it.

In this article
What is multi-factor authentication, and how does it work?
When is MFA used?
Multi-factor authentication methods
How do I enable MFA authentication methods?
MFA vs. 2FA: What’s the difference?
Why is MFA important?
FAQs
Bottom line

What is multi-factor authentication, and how does it work?

Multi-factor authentication (MFA) refers to a security mechanism that requires users to verify their identity using two or more factors.

Think about the last time you used your credit card. You entered your card number and a CVV, but the credit card company still sent you a one-time passcode (OTP). That’s MFA in action for you. Even though you entered the CVV, the credit card company sent an OTP to double-check that you’re making the payment, in case it’s someone with unauthorized physical access to your card.

MFA requires a one-time setup. You choose your preferred verification methods from the available ones and add relevant information.

Here are the general steps to logging into your account once MFA is set up:

  1. Provide primary credentials: Depending on the service you're using, this could be a username-password combination, credit card number, phone number, or something else.
  2. Provide additional verification: Depending on how you've set up MFA, additional verification methods may include a code generated by an app, a code sent to your phone or email, a magic link, or a biometric scan.
  3. Access your account: You gain access to your account once you’ve verified your identity through all authentication methods.

When is MFA used?

MFA springs into action whenever you want to log into your account or app from a new device. Some platforms may require MFA on every login attempt, even on known devices. MFA is usually available on the following types of platforms and apps:

Multi-factor authentication methods

All MFA methods fall into one of three categories: something you know, something you have, or something you are. The key here is that this knowledge, possession, or characteristic should be unique to you.

Here are some examples of MFA methods:

  • One-time passcodes (OTP): OTPs are one of the most commonly used authentication factors. Whenever a user tries to log in, the service provider sends an OTP (via SMS, email, or an instant messaging platform) or requires the user to generate a passcode using an authenticator app like Google Authenticator or Authy.
  • Biometrics: Biometric data is gaining popularity because most devices now support fingerprint and facial scans. Accounts protected with biometrics are harder to break into because each individual’s biological features are unique and nearly impossible to duplicate.
  • Security questions: Security questions are commonly used when you sign up for email and social media platforms. It involves setting up one or more security questions that, ideally, only you know the answer to.
  • Push notifications: Whenever you try to log in using a new device, the service provider sends a push notification to a device you are already logged into. Confirming this notification lets you log in from the new device. You’ve probably used push notifications if you’re a Gmail user. Google uses them to authenticate login attempts for the Gmail app on an unknown device.
  • Password keys: Passkeys are stored on hardware, such as a USB stick. Whenever you need to verify your identity, just plug the device with the passkey into your computer. The platform will read the passkey and let you access the account if it is valid.

How do I enable MFA authentication methods?

The process to enable MFA looks different on every platform. You should be able to set up MFA when you sign up for a service or later via the security settings section. If not, look at the platform’s knowledge base or contact support.

Requirements vary, so it would be difficult to provide general guidelines on how to enable MFA for the specific platform you are using, but here’s an example of what the process looks like for Nord users:

  1. Sign into your account, click on your email at the top right of the screen, and select Account settings.
  2. Switch to the Multi-factor authentication tab and click the Set up button next to the MFA method you want to set up. You can use both MFA methods for tighter account security.
  3. When you’re done, try logging out of any Nord app (NordPass, NordVPN, or NordLocker) and logging back in, or logging in using another device. Nord will ask you to verify your identity using all the MFA methods you have set up before letting you access your account.

Account Settings dashboard of MFA options

MFA vs. 2FA: What’s the difference?

All two-factor authentication (2FA) accounts use MFA, but the reverse is not true. 2FA is a subset of MFA and includes accounts protected using two authentication factors. It’s commonly used to secure social media and email accounts.

Let’s understand the difference using Nord as an example. If you set up MFA using an authenticator app, not a physical security key, you’ve set up 2FA. The first authentication factor is your account password, and the second is the authenticator app. However, if you also set up a security key, you use MFA but not 2FA.

Why is MFA important?

Strong passwords are difficult to crack using brute force, but they’re still vulnerable to phishing and man-in-the-middle (MitM) attacks. That’s why adding more layers of security to online accounts using MFA is mission-critical.

Suppose you’re waiting in line at a cafe before work and want to browse through Amazon. You connect to a public WiFi network and log into your Amazon account.

The problem? A hacker might be using the same public network to attempt MitM attacks. Unless you’re using a VPN, the hacker can get your login credentials and use it to log into your account. They might even be able to spend money in your Amazon account to buy themselves a nice gift.

That’s where MFA comes in. If you’ve set up MFA for your Amazon Prime account, the hacker won’t be able to log in without the one-time passcode Amazon sent to your phone number.

Many service providers send an automated email notification with relevant details for failed login attempts. If you receive one of these, just change your password to make sure no one except you and other authorized users has access to your account.

FAQs


+

What is MFA and 2FA?

Multi-factor authentication (MFA) is a multi-layer security mechanism in which users need to verify their identity using multiple factors. Two-factor authentication (2FA) is a subset of MFA and refers to an MFA setup with two authentication factors only.


+

What are the 3 factors of multi-factor authentication?

Here are the three factors of MFA:

  • Knowledge factor: Information only the user knows, such as a password, pin, or answer to a security question.
  • Possession factor: A physical object only the user can access, such as a smartphone, security token, smart card, or a one-time passcode generator.
  • Inherence factor: Biometric characteristics unique to each user, such as a fingerprint, face, voice, or iris.

+

What are MFA devices?

MFA devices are tools that help verify a user’s identity. They can be physical (like a USB stick with a passkey) or virtual (like an authenticator app).


+

What is the purpose of MFA?

MFA’s purpose is to add extra layers of security to your account. The inability to log in using just the username and password makes it difficult for a hacker to access your account. The more layers you add, the harder it is to break into your account.

Bottom line

MFA helps secure accounts by adding multiple authentication factors. While a strong, unique password is still necessary, relying solely on it is a recipe for disaster. Even a complex password is vulnerable to phishing, MitM, and various other types of cyberattacks.

Your best bet to prevent unauthorized access is to use a top password manager and set up MFA across all accounts. Even your password manager should be MFA enabled to ensure total security. Do this, and you’ll make it nearly impossible for a hacker to gain unauthorized access to your online accounts.

5.0
Editorial Rating
Learn More
On NordPass's website
Password Manager
NordPass
Up to 56% + 3 extra months
  • #1 ranked password manager with a strong history
  • Trusted Nord name backed by above industry standard encryption
  • Grab NordPass on its own or opt for a fully-featured security bundle
  • Free version limited to one device at a time