Skip to main contentSkip to main content
    Back to Glossary
    security
    2 min read

    Multi-Factor Authentication (MFA)

    MFA is a security mechanism requiring users to provide two or more verification factors to gain access, significantly reducing the risk of unauthorized access.

    Multi-factor authentication adds layers of security by requiring multiple forms of verification. It's based on the principle that attackers are unlikely to compromise multiple authentication factors simultaneously.

    Authentication factors: - Something you know: Passwords, PINs, security questions - Something you have: Phone, hardware token, security key - Something you are: Fingerprint, face scan, iris scan

    Common MFA methods: - SMS codes (least secure, but widely used) - Authenticator apps (Google Authenticator, Authy) - Push notifications (Duo, Okta Verify) - Hardware security keys (YubiKey, FIDO2 keys) - Biometrics (fingerprint, face recognition)

    MFA is required by most compliance frameworks and blocks 99.9% of automated attacks according to Microsoft.

    Why It Matters

    MFA is the single most effective security control against credential-based attacks, blocking 99.9% of automated account compromises according to Microsoft. Cyber insurers now require MFA as a baseline for coverage, and every major compliance framework mandates it. Despite its effectiveness, many organizations still have gaps—particularly for cloud admin accounts and service integrations—creating easy targets for attackers.

    Key Points

    Blocks 99.9% of automated account attacks
    Required by most compliance frameworks
    Hardware security keys are most secure
    SMS-based MFA is better than nothing but least secure
    Should be enforced for all users

    Applicable Compliance Frameworks

    SOC 2ISO 27001HIPAAPCI DSSNIST CSF

    Related Terms

    Access Control

    Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

    Identity and Access Management (IAM)

    IAM is a framework of policies and technologies that ensure the right individuals have appropriate access to technology resources at the right times and for the right reasons.

    Zero Trust

    Zero Trust is a security model that requires strict identity verification for every person and device, regardless of network location.

    Frequently Asked Questions

    Is SMS-based MFA secure enough?

    SMS is better than password-only, but vulnerable to SIM swapping. Authenticator apps or hardware keys are recommended for privileged accounts.

    Should MFA be required for all users?

    Yes. Modern frameworks expect MFA for all users. At minimum, require it for privileged and remote access.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    GDPR Compliance

    EU data protection and privacy regulations

    Learn more
    Standard

    ISO 9001 Certification

    Quality management system standards

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Multi-Factor Authentication (MFA)?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms