Multi-Factor Authentication (MFA) Explained

Multi-factor authentication (MFA) requires users to verify their identity with two or more independent factors before granting access. Instead of relying on a password alone, MFA combines something you know with something you have or something you are.

Two-factor authentication (2FA) is a subset of MFA that uses exactly two factors. The terms are often used interchangeably, though MFA can involve more than two.

Why passwords alone aren’t enough

Passwords are the most common form of authentication — and the most commonly compromised. Here’s why relying on passwords alone is risky:

Credential theft. Billions of username/password combinations from data breaches are available on the internet. Security researchers call these “password dumps.” If a user reuses a password across services, one breach exposes all of them.
Phishing. Attackers create convincing fake login pages to trick users into entering their credentials. Even security-aware users can be fooled by well-crafted phishing campaigns.
Brute force and credential stuffing. Automated tools can try thousands of password combinations per second. Short or common passwords can be cracked in minutes.
Password reuse. Most people use the same password across multiple accounts. A breach at one service compromises every account sharing that password.

Even strong, unique passwords are vulnerable to phishing and keyloggers. MFA ensures that a stolen password alone isn’t enough to gain access.

The three authentication factors

Security experts classify authentication factors into three categories:

Factor	Description	Examples
Something you know	Information only the user should know	Password, PIN, security question
Something you have	A physical object the user possesses	Smartphone, hardware token, smart card
Something you are	A biometric characteristic unique to the user	Fingerprint, face scan, voice recognition

True MFA requires factors from at least two different categories. Using two passwords (both “something you know”) is not MFA — both could be compromised through the same phishing attack.

Common combinations

The most widely used MFA combination is password + phone-based verification: the user enters a password (something they know) and then confirms with a code or push notification on their phone (something they have).

How MFA works in practice

A typical MFA login flow:

The user enters their username and password in a VPN client, web application, or login page.
The system validates the password against the user directory (Active Directory, LDAP, or a local database).
The system requests a second factor — for example, sending a push notification to the user’s phone or asking for a one-time code.
The user provides the second factor — tapping “Approve” on a push notification, entering an SMS code, or plugging in a hardware token.
The system validates the second factor and grants or denies access.

The time-limited nature of most second factors is a key security feature. A one-time password (OTP) typically expires in 30–60 seconds, giving attackers only a narrow window even if they intercept a code.

Common MFA methods

Push notifications

A notification is sent to an authenticator app on the user’s smartphone. The user taps Approve or Reject — no code to type. This is the most user-friendly method and is resistant to most phishing attacks since the user doesn’t enter anything that can be intercepted.

Best for: Organizations that want a good balance of security and convenience.

SMS one-time passwords (OTP)

A numeric code is sent via text message to the user’s registered phone number. The user enters the code to complete login.

Advantages: Works on any phone — no app installation required. Simple and familiar.

Limitations: Susceptible to SIM-swapping attacks and SMS interception. Regulatory bodies like NIST recommend stronger methods for high-security environments, but SMS OTP remains widely used and is significantly better than passwords alone.

Best for: Users who cannot or will not install an app, or as a fallback method.

TOTP (Time-based One-Time Passwords)

An authenticator app (like Mideye+, Google Authenticator, or Microsoft Authenticator) generates a new six-digit code every 30 seconds using a shared secret. The code is computed locally — no network connection needed at the time of login.

Best for: Air-gapped or offline environments where push notifications and SMS delivery aren’t available.

Hardware tokens

Physical devices that generate one-time passwords. Common form factors include USB keys (YubiKey), key fobs, and display cards. Hardware tokens follow open standards like OATH HOTP/TOTP and FIDO U2F.

Advantages: No phone required, no battery to charge (for display tokens), and resistant to remote attacks since the token must be physically present.

Best for: High-security environments, users without smartphones, and regulatory scenarios that require physical tokens.

Biometrics

Fingerprint scans, facial recognition, or voice recognition used as an authentication factor. Most commonly used on smartphones and laptops.

Limitations: Biometric data can’t be changed if compromised (unlike a password or token). Biometric systems require a reliable sensor and can have accessibility issues.

Best for: Device unlock and local authentication, often combined with other factors.

How attackers try to bypass MFA

MFA dramatically reduces the risk of account compromise, but no security measure is perfect. Understanding attack vectors helps you choose the right defenses.

Attackers impersonate trusted organizations (IT support, banks) and trick users into revealing their one-time codes. With the username, password, and a valid OTP in hand, the attacker can log in before the code expires.

Mitigation: Push-based authentication reduces this risk since there’s no code to hand over. User awareness training is essential.

MFA fatigue (prompt bombing)

The attacker already has the user’s password and triggers repeated push notifications, hoping the user eventually taps “Approve” out of frustration or confusion.

Mitigation: Rate limiting on authentication attempts, number matching (showing a code on the login screen that the user must confirm in the app), and alerting on unusual patterns.

SIM swapping

The attacker convinces a mobile carrier to transfer the victim’s phone number to a new SIM card, intercepting SMS codes.

Brute force

If the one-time code is short (4–6 digits), an automated tool could theoretically try all combinations. This is prevented by time-limiting codes (typically 30–60 seconds) and locking out after a small number of failed attempts.

2FA vs MFA — what’s the difference?

	2FA	MFA
Factors required	Exactly two	Two or more
Common example	Password + SMS code	Password + push notification + biometric
Scope	Subset of MFA	Broader category

Every 2FA implementation is MFA, but MFA can go further by requiring a third factor for high-risk operations. For most organizations, two well-chosen factors provide strong protection.

Compliance and MFA

Many regulations and frameworks require or recommend multi-factor authentication:

GDPR — Requires appropriate technical measures to protect personal data. MFA is widely considered a baseline measure.
NIS2 — Mandates strong authentication for critical infrastructure operators in the EU.
DORA — Requires financial entities to implement strong authentication for ICT systems.
ISO 27001 — Recommends MFA as part of access control policies.
NIST SP 800-63 — Provides detailed guidance on authentication assurance levels, with MFA required at higher levels.
PCI DSS — Requires MFA for administrative access to cardholder data environments.

Why on-premises MFA?

Most MFA solutions are cloud-based — the MFA server runs in the vendor’s data center, and your authentication data is processed outside your network. This works for many organizations, but it introduces trade-offs: you depend on the vendor’s availability, your data crosses network boundaries, and compliance with data residency requirements becomes more complex.

On-premises MFA keeps the authentication engine on your infrastructure. Credentials and authentication decisions never leave your network. You control where data is stored, who has access, and which jurisdiction applies. For organizations in regulated industries — or simply those who prefer to keep authentication under their own control — on-premises MFA is the stronger choice.

Mideye Server takes a hybrid approach: the authentication server runs on your infrastructure while optional cloud services handle message delivery (SMS, push notifications). This gives you on-premises control with the convenience of modern MFA methods. For environments that require complete isolation, air-gapped mode operates with zero internet connectivity.

Learn more in On-Premises vs Cloud MFA and Air-Gapped Authentication.

How Mideye Server implements MFA

Mideye Server is an on-premises MFA platform that supports 11 authentication types — from SMS codes and push notifications to hardware tokens and air-gapped TOTP. It speaks RADIUS for VPNs and firewalls, REST API for web applications, and integrates with LDAP, Active Directory, and Microsoft Entra ID for user directories.

What is Mideye Server? — Product overview and positioning
Authentication Types — All 11 MFA methods explained
Authentication Flows — Step-by-step login sequences
System Architecture — Components and connections

Next steps

Authentication Types — See the specific MFA methods available in Mideye Server
Authentication Flows — Follow a login step by step
What is Mideye Server? — Learn how Mideye implements MFA on your infrastructure
Authentication Service — See how Mideye can secure your organization