What Is Multifactor Authentication? The Single Best Habit for Your Accounts
Passwords get stolen constantly. Multifactor authentication is the cheap, powerful layer that keeps an attacker out even when they have your password. Here is how it works and which types to trust.
Picture the front door of your house. A single lock is fine until someone makes a copy of your key. Now imagine that even with a perfect copy of that key, the door still will not open unless the person also has a small fob that only you carry in your pocket. Suddenly the copied key is almost worthless on its own. That, in one sentence, is multifactor authentication, and it is the closest thing to a magic trick that everyday security has to offer.
If you do one single thing after reading this site, make it turning on multifactor authentication everywhere that offers it. Passwords leak, get guessed, and get phished every single day. Multifactor authentication, usually shortened to MFA, is the layer that keeps someone out even after they already have your password. It costs nothing, it takes a few minutes, and it quietly blocks the overwhelming majority of account takeovers. Let us walk through how it works, why it is so effective, and which versions of it are worth trusting.
First, what does authentication even mean?
Authentication is just a fancy word for proving you are who you claim to be. Every time you log in, a service is asking a simple question: can you show me some evidence that you are really the owner of this account? A password is one kind of evidence. It is a secret that, in theory, only you know.
The trouble is that a password is a weak kind of evidence, because secrets have a habit of not staying secret. People reuse the same password across dozens of sites. They pick things that are easy to guess. They get tricked into typing it into a fake page. And companies leak enormous lists of passwords in data breaches all the time. So relying on a password alone is like guarding your front door with a lock whose key has been photocopied and handed out around the neighbourhood.
The idea: proof from different categories
MFA means proving who you are with two or more factors from different categories. The word factor here simply means a piece of evidence. The three classic categories are:
- Something you know: a password or a PIN. Knowledge locked in your head.
- Something you have: a physical object you possess, such as your phone or a small security key.
- Something you are: a part of your body, such as a fingerprint or a face scan. This is called biometrics.
A password on its own is a single factor, and it lives entirely in the "know" category. If it leaks, that is the whole wall gone in one go. MFA adds a second piece of evidence from a different category, so that a stolen password by itself is no longer enough to get in.
Password only: know something -> in
MFA: know something + have something -> inThe "different category" part matters more than it might seem. Asking for a password and then a second password is not really multifactor, because both are things you know, and both can leak in the same breach. The strength comes from mixing categories. An attacker who steals your password from a leaked database still does not have the phone sitting in your pocket, and they cannot borrow your fingerprint over the internet.
Why this is such a big deal
Most account takeovers start with a password that was reused, guessed, or phished. A second factor means the attacker also needs your physical device, which they usually do not have. That one extra step blocks the large majority of these attacks, which is why security teams treat MFA as the highest value habit there is.
A quick example of MFA in action
Imagine an attacker buys a list of leaked email addresses and passwords on a shady forum, and yours is on it because a shopping site you used years ago got breached. They try your password on your email account. Here is how the two worlds differ.
Without MFA: attacker types your password -> they are in your inbox
With MFA: attacker types your password -> service asks for a code
-> code is on YOUR phone, not theirs -> they are stuckThat second version is what plays out millions of times a day. The attacker has done everything right from their point of view, and they still hit a wall, because the last piece of the puzzle is a device they cannot reach. This is why turning MFA on is so worthwhile even if you feel confident about your passwords. It protects you from mistakes you did not even know you had made.
Not all second factors are equal
Here is the part most guides skip. MFA is not one thing, it is a spectrum, and the different types are not equally strong. From weakest to strongest:
- SMS codes. A short code is texted to your phone and you type it in. This is much better than nothing, and if it is the only option offered, use it. But it has a real weakness called SIM swapping, where an attacker sweet talks or bribes your mobile carrier into moving your phone number onto a card in their own phone. Once they control your number, the text messages arrive on their device, not yours. Text messages can also sometimes be intercepted. Prefer something stronger where you can.
- Authenticator apps. These are free apps that generate a rotating six digit code that changes every thirty seconds or so. The technical name for this is TOTP, which stands for time based one time password. The code is calculated on your device using a shared secret and the current time, so no phone signal is needed and there is no phone number for an attacker to hijack. This is a solid, widely available choice and a big step up from SMS.
- Push approvals. Instead of typing a code, the service sends a "was this you?" prompt to an app on your phone, and you tap approve or deny. This is convenient and quite secure, but it has a specific weakness called MFA fatigue, described just below.
- Passkeys and hardware security keys. A passkey is a modern login method that lives on your phone or computer and uses your fingerprint or face to confirm it is you, while a hardware security key is a small physical device you tap or plug in. Both are built on open standards called FIDO2 and WebAuthn. Their superpower is that they are phishing resistant. The key or passkey silently checks that it is talking to the genuine website before it responds, so even if you are fooled by a convincing fake page, the login simply will not complete. This is the strongest option available today.
If you are unsure where to start, an authenticator app is the sweet spot for most people: free, easy, and far stronger than SMS. If a service supports passkeys or hardware keys, and it is an important account like your email or your bank, that is even better.
Why phishing resistance is the gold standard
Codes and push prompts can be relayed. A patient attacker builds a fake login page, you type your password and read out or forward the code, and they pass it to the real site within seconds. A passkey or hardware key defeats this because it refuses to authenticate to the wrong web address in the first place. The trust is built into the maths, not into you spotting the fake.
MFA fatigue
Attackers who already have your password sometimes spam push approvals over and over, hoping you tap "approve" out of annoyance, confusion, or by accident, perhaps at three in the morning when a prompt wakes you up. If you get approval prompts you did not trigger, deny them and change your password immediately. Someone has it, and they are knocking on the door.
Recovery codes: your spare key
When you turn on MFA, most services offer you a set of one time backup codes, sometimes called recovery codes. These are your safety net for the day you lose your phone or your security key. Each code works once to get you back into your account.
Treat these codes with the same care as the account itself. Print them out or save them somewhere safe and offline, such as in your password manager or a locked drawer, and do not leave them sitting in a screenshot on the phone you might lose. Without them, losing your only second factor can mean losing access to the account entirely, which is a frustrating way to learn this lesson.
Set up a second factor, not just a first
Where a service allows it, register two methods, for example an authenticator app and a hardware key, or your phone and a spare. If one is lost or breaks, the other keeps you in. A locked out account is a real cost of MFA that a little planning avoids entirely.
Passwords still matter
It is tempting to think that once MFA is on, the password no longer counts. That is not quite right. MFA is a safety net, not a licence to use weak or reused passwords. Some login flows fall back to the password in certain situations, and every layer you keep strong is one more thing standing between an attacker and your account.
The best combination is simple: pair MFA with a password manager that generates a long, unique, random password for every site. That way a leak on one site cannot be used to unlock the others, and your second factor is there as backup rather than as the only thing saving you. If you want to understand why length and uniqueness matter so much, the password hashing primer explains what actually happens to a stolen password behind the scenes, and the password manager guide walks through how to end reuse for good.
Where to turn it on first
You do not have to do everything at once. Start with the accounts that would hurt the most if someone else controlled them, and work outward. A sensible order:
1. Your primary email (it can reset every other account, so protect it first)
2. Your password manager
3. Banking and financial accounts
4. Anything with your money or your identity stored in it
5. Social media and everything elseYour email deserves the top spot because it is the master key to your digital life. If an attacker owns your inbox, they can click "forgot password" on almost every other service and reset their way in. Lock that door first, and much of the rest gets easier.
A common worry, answered
Some people hold off on MFA because they fear the hassle, or worry they will get locked out. Both concerns are fair, and both are smaller than they seem. In day to day use, MFA usually means one extra tap or one code every so often, and many services let you mark a device as trusted so you are not prompted every single time on your own laptop. As for lockouts, the recovery codes and a backup method described above are exactly what prevent them. A few minutes of setup buys you a great deal of protection, and the ongoing cost is close to nothing.
The takeaway
Multifactor authentication asks for proof from more than one category, so a stolen password alone is not enough to get in. It is the single highest value security habit available to almost anyone, and it takes only minutes to set up. Turn it on everywhere, starting with your email and your password manager. Prefer an authenticator app, a passkey, or a hardware key over SMS, and treat passkeys and hardware keys as the gold standard because they resist phishing outright. Save your recovery codes somewhere safe, register a backup method so you never lock yourself out, stay alert to approval prompts you did not trigger, and pair the whole thing with unique passwords from a password manager. Do that, and even on the day your password leaks, the person holding it will find your front door still firmly shut.