What does 2FA / MFA add on top of a password, and why does it dramatically reduce account takeover risk?
MFA combines something you know (password) with something you have (phone, key) or are (fingerprint) — so a stolen password alone isn't enough.
* True MFA combines factors from different categories: Know, Have, Are. *
The three factors:
| Factor | Examples |
|---|---|
| Know | Password, PIN, security questions |
| Have | Phone (SMS/app), hardware key, smartcard |
| Are | Fingerprint, face, voice |
True MFA requires factors from different categories — password + security question is just two "know" factors, not real MFA.
Why it works:
Attackers might phish or brute-force your password, but they probably can't simultaneously steal your phone or your fingerprint. Microsoft research showed MFA blocks 99.9% of automated account takeover attacks.
Strength ranking (weakest → strongest):
- SMS codes — vulnerable to SIM swapping
- TOTP apps (Authy, Google Authenticator) — better, but phishable
- Push notifications — good, but vulnerable to MFA fatigue
- FIDO2 / hardware keys (YubiKey, Passkeys) — phishing-proof
Tip: OTP = One-Time Password — a 6-digit code that expires in 30 seconds. Even if intercepted, it's useless after expiry.
Go deeper:
Multi-factor authentication (Wikipedia) — defines the know/have/are factor categories.
NIST SP 800-63B — authoritative authenticator assurance levels and what counts as a second factor.