The password has been a staple of access control for decades. However, we can no longer rely on this form of single-factor authentication for robust cybersecurity. Multifactor authentication (MFA) was developed to further protect account access, resources, and data, and to prevent cyberattacks. This article shows how MFA is used to protect assets and to ensure compliance.

MFA was introduced to strengthen account security, protect data, and reduce the risk of unauthorized access. This article explains how MFA works, where it fits into your organization’s security strategy, and why it’s considered essential in 2025.

Why use multifactor authentication?

For decades, “username and password” was the default method for authentication. This single, factor model presents a single point of failure, and cybercriminals have taken full advantage. Attackers now use various methods to bypass password-based systems:

Phishing: Credential theft is often achieved through phishing — sending emails or other messages purporting to be from trustworthy companies, in order to trick people into revealing information such as passwords. This is the most popular cyberattack technique, according to IBM research.

Social engineering: This is a form of phishing in which cybercriminals psychologically manipulate people into willingly handing over passwords.

Spear phishing: This form of phishing targets specific individuals and is often used to steal password credentials from employees with wide-ranging access, such as administrators.

Brute force: According to Cybernews research, the most commonly used passwords in 2024 are:

1. 123456

2. 123456789

3. Qwerty

Brute force attacks are automated attempts to guess a password in order to access an application. With easy-to-guess passwords, brute force attacks become a serious threat to single-factor verification systems.

Credential stuffing: Attackers often use passwords stolen through phishing attacks or found via data breaches to attempt to access other applications.

Server compromise: Hackers also try to gain access to stored corporate passwords. If they are poorly secured, the attacker can get all of a company’s passwords.

Man-in-the-middle (MitM) attacks: Some attackers attempt to intercept usernames and passwords when they are submitted via a web browser. If the attempt is successful, the attacker then uses the credentials to log in.

Keylogging malware: Certain types of malware are used in stealth mode to detect when a password is entered on a device. The malware then captures the information and sends it to a hacker’s account for reuse.

These tactics all exploit single-factor authentication. MFA mitigates them by introducing a second, or even third, step to verify identity.

Where does a multifactor authentication system fit in with identity management?

MFA is a strong security measure that addresses the issues inherent in single-factor authentication. In access management, MFA is used to request multiple verification methods whenever a person attempts to log in to an app or access a resource.

While MFA has been criticized in the past for hurting user experience, like requiring extra steps each time, a growing number of identity and access management (IAM) platforms now offer seamless ways to reduce friction. For instance, devices can be remembered or trusted for a defined time period or location. Conditional logic can limit prompts when risk is low (e.g., logging in from a familiar device on a corporate network). This makes it possible to balance security with usability.

Instances where using multifactor authorization would have mitigated a breach

MFA can’t prevent every cyberattack but it’s highly effective at stopping credential-based breaches. Consider these examples:

• Uber (2022): A hacker used social engineering to trick an employee into handing over credentials. MFA could have prevented unauthorized access even after the password was stolen.

• 23andMe (2023): 6.9 million customer accounts were breached through credential stuffing using data from previous leaks. MFA would have blocked access attempts with stolen passwords.

These breaches and other similar attacks could have been prevented if an additional authentication factor had been in place.

Multifactor authentication factors

MFA is based on a few types of secure authentication factors:

1. Something you know (knowledge): Such as a password, the answer to a question, or a personal identification number (PIN).

2. Something you have (possession): Such as a security code or token.

3. Something you are (inherence): Such as a biometric authentication or a behavioral characteristic.

Sometimes a fourth a authentication factor is included:

4. Somewhere you are (location): The geolocation of an individual logging in can be enforced as a factor in controlling access.

By combining different factor types, MFA reduces the likelihood that attackers can access an account—even if they’ve obtained a password.

Examples of multifactor authentication methods

Multifactor authentication combines security and usability. The following examples show the different authentication methods used to apply multiple authentication factors.

Time-based one-time password (TOTP)

A code generated by an app like Google Authenticator or Microsoft Authenticator. These codes change every 30 seconds and are used after the user enters their password. They're widely adopted in both personal and enterprise environments.

SMS text message code

After successful login with username and password, a one-time code is sent via text. The user must enter this within a set timeframe. Though still used, SMS codes are now considered less secure due to SIM-swapping risks.

Biometric

Biometric authentication, such as facial recognition, fingerprint scans, and behavioral biometrics are used on mobile devices to control access. Biometrics are increasingly used to access bank apps and other financial services. Often, a biometric is associated with a username and password, which can be used as part of the recovery system if the biometric fails for some reason.

Security questions

Pre-set questions can be used to verify identity, especially during recovery. While still in use, they’re considered less secure due to the ease with which answers can be guessed or researched.

Physical token

These are physical devices like USB security keys (e.g., YubiKey) that are inserted into a device or tapped for NFC. They're among the strongest MFA options, especially in regulated or high-risk environments.

Is two-step verification the same as multifactor authentication?

They’re similar, but not exactly the same. Two-step verification (2SV) typically means using two steps to log in, but those steps might be from the same category (e.g., password + security question). Multifactor authentication (MFA) explicitly requires two or more different types of factors. That distinction makes MFA more secure in most implementations.

What is adaptive authentication?

Adaptive authentication, also known as risk-based or step-up authentication, adjusts MFA requirements based on real-time signals.

For example:

• A login from a trusted device in the user’s home office might not trigger MFA.

• A login from a new country might require biometric verification or a security key.

This contextual approach helps maintain security without interrupting users unnecessarily.

What are the benefits of using multifactor authentication?

MFA is a layered approach to security that makes unauthorized access more difficult. By using MFA to protect digital resources, a company reduces the risk of many types of cyberattack. An MFA solution prevents phishing, account compromise, identity theft, ransomware infection, and data breaches.

Implementing multifactor authentication helps an organization meet data security regulations including HIPAA, SOC 2, PCI-DSS, SOX, and GLBA.

Single sign-on (SSO) and risk-based authentication are MFA techniques for improving usability and security. SSO is an authentication method that enhances usability while reducing risks associated with a single-factor authentication approach.

Google Workspace and 2FA

Productivity applications such as Google Workspace support the use of 2FA (also known as 2-step verification or 2SV). Two-factor authentication for Google Workspace can be set up by the user directly or enforced by the service administrator. Google Workspace 2FA can be used to ensure that a specific team uses security keys with certain apps.

Available 2FA methods include:

• Security keys (key fob)

• Google prompt, text message, or phone call

• Google Authenticator app

• Backup codes

Admins can manage settings, exceptions, and policies through the Google Admin Console. This helps ensure that high-risk users or apps receive the right level of protection.

Common MFA Missteps to Watch For

Even with MFA in place, some pitfalls can reduce its effectiveness:

• Relying only on SMS codes: These can be intercepted through SIM-swapping or phishing.

• Prompt fatigue: Users may blindly approve push notifications if they’re prompted too often.

• Partial implementation: Leaving some apps or users exempt creates weak spots.

• User resistance: Poor onboarding or confusing setup processes may lead to non-compliance.

Addressing these challenges early with user education, smart defaults, and enforcement policies ensures MFA performs as intended.

How AccessOwl Simplifies MFA Rollout

Managing MFA across all your SaaS tools can be a logistical headache, especially when departments own their own apps.

AccessOwl makes it easy by:

• Automatically detecting every SaaS app in use across the company.

• Identifying which tools support MFA and which users have it enabled.

• Highlighting enforcement gaps before attackers find them.

• Syncing with your identity provider and HR system for centralized visibility.

Whether you're preparing for SOC 2, closing access gaps, or scaling your zero trust model, AccessOwl helps your team secure access without bottlenecks.