Multi-Factor Authentication (MFA)

Multi-Factor Authentication requires users to present two or more independent “factors” to verify identity during login. The classic categories of factors are: something you know (e.g., password or PIN), something you have (e.g., a physical token, smartphone app, smart card), and something you are (biometric traits like fingerprint, face scan). By combining factors, MFA adds layers of proof so that if one factor (like a password) is compromised, an attacker still cannot authenticate without the additional factor(s). 

Common MFA implementations include one-time passcodes (6-digit codes from an authenticator app or sent via SMS), push notifications to a registered mobile device, physical OTP tokens or USB security keys (e.g., YubiKeys using FIDO2/WebAuthn), and biometric unlock in combination with a device possession. The origins of MFA go back decades: ATM cards + PINs in banking were an early 2FA.

Today, modern MFA often leverages smartphones – either via authenticator apps generating time-based codes or via secure push prompts that the user approves. Technically, when MFA is enabled, the authentication workflow will validate primary credentials (e.g., password) and then challenge for a second factor. Only if all factors validate does the system issue an authentication token or session. 

How does it affect identity security?

MFA is one of the most effective controls for protecting user identities and preventing unauthorized access. Statistics show that a huge portion of breaches stem from compromised passwords – by introducing MFA, organizations mitigate the vast majority of those password-based attacks. Microsoft famously reported that MFA can block over 99.9% of automated account compromise attempts​. 

In practice, that means even if an attacker phishes or guesses a user’s password, they cannot log in without the second factor (which is far harder to obtain). MFA is particularly important for privileged accounts and remote access. Many high-profile breaches (like the 2021 Colonial Pipeline incident) might have been thwarted if MFA had been in place. In that case, attackers used a leaked password to access a VPN that had single-factor login​. Had MFA been required, possessing the password alone wouldn’t grant entry. 

More generally, MFA greatly reduces the risk of phishing, credential stuffing, and password reuse attacks – even if users reuse a password that gets leaked from another site, attackers still can’t use it to breach the MFA-protected account. It also provides an additional line of defense against keylogger or spyware incidents (where malware might steal your password, but not your physical token). 

From an identity security viewpoint, MFA shifts the security model from “something you know” (which can be stolen without your knowledge) to needing a factor that an attacker must interact with the user or user’s device to obtain. This often deters or defeats mass attack techniques. Modern threat actors often try to bypass MFA via social engineering (e.g., MFA fatigue attacks or SIM swap for SMS codes), but those are more complex and easier to detect than a quiet password theft, indicating just how much harder MFA makes their job. 

Organizations implement MFA not just for employees but also for customers (to protect online banking, e-commerce accounts, etc.) because it’s proven to cut down fraud and account takeovers significantly. One challenge is user friction – MFA adds a step – but newer methods (like push approvals or device biometrics) have improved usability. 

The slight inconvenience is vastly outweighed by the security gained, especially when defending high-value assets. MFA is often considered the baseline for secure identity: guidelines like NIST SP 800-63 recommend multi-factor auth for higher assurance levels, and cyber insurance or compliance standards now frequently mandate MFA for admin logins and remote access. 

Another reason MFA is crucial: it provides defense in depth for identity. Even if an organization’s password database is compromised or a user’s password is weak, MFA stands as a second independent secret. Many real-world intrusions (e.g., the 2018 Reddit breach​) have led companies to adopt MFA broadly to prevent recurrence. Reddit noted after their breach (which involved SMS 2FA being compromised) that stronger app-based or token-based MFA would be enforced going forward​.

Case studies

The 2019 Colonial Pipeline breach is a stark example of the absence of MFA leading to compromise. Attackers used a single leaked password to access a VPN account (which had no MFA) and from there penetrated the network, causing a major ransomware incident that disrupted fuel supplies. Colonial Pipeline’s CEO later acknowledged that lack of MFA on that VPN was a critical security gap. This incident prompted many infrastructure companies to accelerate MFA adoption for remote access. 

In the 2016 Dropbox breach, the company had previously implemented MFA as an option. After a 2012 password dump was later used to access some Dropbox accounts, the company forced password resets and heavily promoted MFA. By 2016, when an attacker tried to reuse those old credentials, users with MFA were protected – only accounts without MFA were accessed. This led Dropbox to start making MFA a default/strongly recommended setting.

‍