What is multi-factor authentication (MFA / 2FA), and where does its added security actually come from?
MFA requires a second, independent proof beyond the password — security comes from that independent channel plus one-time use.
Passwords alone can be too short, written down somewhere, reconstructed from leaked hash lists, or reused. Multi-factor authentication (also "two-factor", 2FA/ZFA) adds a second factor, e.g.:
- a banking or authenticator app
- SMS or (photo-)TAN codes
The security comes from two properties:
- Independent path — the second factor travels a separate channel (your phone), which helps defeat man-in-the-middle attacks on the password channel.
- One-time use — codes are one-time passwords (OTP), so capturing one doesn't help later.
Why a stolen password is no longer enough: even if the attacker knows your password, they can't produce the second, time-limited factor from your separate device.
Tip: App-based or hardware OTP is stronger than SMS (SIM-swapping can hijack SMS). But any MFA beats password-only — it's the single highest-impact account protection.