MFA: Definition and Compliance Guide

MFA (Multi-Factor Authentication)

Multi-factor authentication is a security mechanism that requires users to provide two or more verification factors to access an account or system. Factors include something you know (password), something you have (phone/token), and something you are (biometrics).

cybersecurityauthenticationaccess control2FAsecurity

Why It Matters

Passwords alone are not enough. 80% of breaches involve compromised credentials (Verizon DBIR). Even strong, unique passwords can be stolen through phishing, data breaches, or credential stuffing. MFA adds a second layer of defense that makes stolen passwords nearly useless. Regulators increasingly require or strongly recommend MFA — NIS2, NIST, PCI DSS, and GDPR all point to it as an essential security measure.

The Three Authentication Factors

MFA combines two or more of these categories:

Factor	Description	Examples
Knowledge	Something you know	Password, PIN, security question
Possession	Something you have	Phone (SMS code, authenticator app), hardware token, smart card
Inherence	Something you are	Fingerprint, face recognition, iris scan, voice

Two-factor authentication (2FA) is the most common form — typically password + phone-based code.

MFA Methods Ranked by Security

Hardware security keys (FIDO2/WebAuthn) — strongest, phishing-resistant
Authenticator apps (TOTP) — strong, time-based codes generated on device
Push notifications — convenient but vulnerable to MFA fatigue attacks
SMS codes — better than nothing but vulnerable to SIM swapping and interception
Email codes — weakest MFA; if email is compromised, MFA is bypassed

Regulatory Requirements

NIS2 — requires "multi-factor authentication or continuous authentication solutions" as a minimum security measure
NIST SP 800-63B — defines authenticator assurance levels requiring MFA for moderate and high confidence
PCI DSS 4.0 — requires MFA for all access to the cardholder data environment
GDPR — doesn't explicitly mandate MFA, but regulators cite its absence as inadequate security (Article 32)
HIPAA — MFA is an addressable safeguard for ePHI access

Implementation

Enable MFA for all remote access first (VPN, cloud apps, email)
Prioritize privileged accounts (administrators, finance, executives)
Use authenticator apps or hardware keys over SMS where possible
Plan for MFA recovery — backup codes, admin reset procedures
Train employees on MFA fatigue attacks (repeated push notifications from attackers)

MFA (Multi-Factor Authentication)

cybersecurityauthenticationaccess control2FAsecurity

Factor

Description

Examples

Knowledge

Something you know

Password, PIN, security question

Possession

Something you have

Phone (SMS code, authenticator app), hardware token, smart card

Inherence

Something you are

Fingerprint, face recognition, iris scan, voice

MFA (Multi-Factor Authentication)

Why It Matters

The Three Authentication Factors

MFA Methods Ranked by Security

Regulatory Requirements

Implementation

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Compliance Glossary: Key Terms and Definitions 2026

CISO Roles and Responsibilities: The Complete Guide for 2026

Want more than the definition?

MFA (Multi-Factor Authentication)

Why It Matters

The Three Authentication Factors

MFA Methods Ranked by Security

Regulatory Requirements

Implementation

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Compliance Glossary: Key Terms and Definitions 2026

CISO Roles and Responsibilities: The Complete Guide for 2026

Want more than the definition?