← Lessons

quiz vs the machine

Silver1120

Security

Multi Factor Authentication

Combine factors from different categories so a stolen password is not enough.

4 min read · intro · beat Silver to climb

Passwords Alone Fail

Passwords get phished, reused, and leaked in breaches. If a password is the only thing standing between an attacker and an account, one leak is game over. Multi Factor Authentication adds independent checks.

The Three Factor Categories

  • Something you know, such as a password or PIN.
  • Something you have, such as a phone, security key, or token app.
  • Something you are, such as a fingerprint or face.

True MFA combines factors from different categories, so two passwords are not MFA.

Why It Helps

  • An attacker who steals the password still lacks the second factor.
  • It blunts large scale credential stuffing from reused passwords.
  • Prefer app based or hardware factors over SMS, which is vulnerable to SIM swapping.

Key idea

MFA requires factors from different categories, so a stolen password alone cannot unlock the account.

Check yourself

Answer to earn rating on the learn ladder.

1. Which combination is true MFA?

2. Why is SMS a weaker second factor?