One password is a gamble. MFA is a guarantee. Learn how layered authentication keeps attackers out — even when your password is already compromised.
Every MFA system draws from three fundamental categories — each defending against a different class of attack.
Passwords, PINs, security questions. The most familiar factor — but also the most vulnerable to phishing, brute force, and credential stuffing attacks.
A phone, hardware token, or smart card. Even if your password leaks, attackers are blocked without physical access to your device.
Fingerprints, facial recognition, retinal scans. Biometric factors are unique to you and nearly impossible to replicate — though not immune to sophisticated attacks.
A 6-digit code was sent to your phone. It expires in 30s
Hint: try entering any 6 digits
Place finger on sensor
All three authentication factors verified successfully. Your identity is confirmed across something you know, something you have, and something you are.
Passwords alone are the weakest link. They're reused, leaked, phished, and cracked. Even a complex password is worthless if it's been sold on the dark web.
Credential stuffing — attackers use lists of stolen username/password pairs to attempt logins at scale. MFA blocks this entire attack class.
⬡⬡⬡⬡⬡⬡ Low
Time-based One-Time Passwords generated by apps like Google Authenticator or Authy. The app and server share a secret key and compute the same 6-digit code using the current time. Codes refresh every 30 seconds and work offline.
Unlike SMS, TOTP doesn't rely on your phone carrier — meaning SIM-swap attacks are completely neutralised. The algorithm (RFC 6238) is an open standard implemented by thousands of services worldwide.
Physical keys like YubiKey implement the FIDO2/WebAuthn standard. Authentication is based on public-key cryptography — the private key never leaves the device. The key also verifies the website's origin, making phishing technically impossible.
Considered the gold standard for high-security environments. Used by Google, GitHub, and most government agencies for privileged access.
A one-time code sent via SMS to a registered phone number. By far the most widely deployed MFA method due to its zero-setup requirement for end users. NIST no longer recommends SMS as a primary second factor due to known vulnerabilities in the SS7 protocol.
Despite its flaws, SMS MFA still blocks the vast majority of automated attacks. Even imperfect MFA is dramatically better than no MFA at all.
Fingerprint scanners, Face ID, and iris recognition authenticate using physiological characteristics unique to each person. Biometrics are increasingly used as both a standalone factor and combined with hardware (Passkeys / FIDO2 with biometric unlock).
Key privacy consideration: biometric templates should never leave the device. On-device matching (as used in Apple/Android) is secure; cloud-stored biometrics introduce significant risk.
Machine learning analyzes login context — location, device, time of day, behavior patterns — and dynamically decides how much authentication friction to apply. Low-risk logins from known devices pass with minimal challenge; suspicious logins trigger step-up authentication.
This approach optimizes both security and user experience, reducing unnecessary friction for legitimate users while responding proportionally to real threat signals.
Select your scenario to see the recommended MFA approach.
Accessing personal social media or email from your usual home device — low-value target.
SMS OTP is sufficient. Enable 2FA on all accounts immediately.