Find the Best Password Manager for You Do you currently use a password manager?
Yes
No
Get started with a secure password manager today

What Is Multi-Factor Authentication? MFA Types & Examples 2025

If you're serious about protecting your accounts, enabling MFA is a good place to start.
Written by
Published on January 31, 2025

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn More

As passwords routinely fail to protect users, multi-factor authentication (MFA) is fast emerging as the new gold standard of cybersecurity. By adding extra layers of protection, MFA is able to block fraudulent login attempts with up to 99.9% accuracy, making it a natural form of defense for security-savvy businesses.

Enabling MFA to protect your systems isn’t quite as easy as flicking a switch, however. First, you need to understand how the mechanism works, before deciding which type of authentication factor would work best for your team.

We cover everything you need to know about MFA, including why choosing not to embrace the authentication method is no longer a luxury businesses can afford to take in 2025.

In this guide:

What Is Multi-Factor Authentication?

Multi-factor authentication is a security process used to verify a user’s identity. The method requires users to supply at least two pieces of evidence to log into an account, including a regular password and an additional verification method. For example, a MFA system may send a one-time password to your phone or email account, or require you to use facial recognition to authorize your identity.

How Does Multi-Factor Authentication Work?

Multi-factor authentication works by requesting two or more forms of identification from users when they register their accounts.

Step 1: Registration

When a user creates an account, they will be asked to enter additional information that can be used as a secondary way to verify their identity. This could be a cell phone number, email address, biometric information like a fingerprint or facial scan, or codes from a hardware fob or authenticator app.

This information, along with the user’s username and password, is then stored in the system for future login attempts.

Step 2: First-factor authentication

When a user attempts to log back into their account, they will be required to enter the basic login information – namely usernames and passwords. If they enter the correct details, the system will prompt for a second form of authentication.

Step 3: Second-factor authentication

The MFA system will then request a second form of authorization. Users can input this information by entering a code they received on a virtual or physical device or scanning their biometric features – depending on which authentication method the system requires.

The system will then verify or deny the user, and in the latter case, offer recovery methods like security questions or backup codes.

In some instances, the security call will require three forms of identification to access a system or account. This method, called three-factor authentication (3FA), works in a similar way to 2FA but is more likely to involve a physical token to authorize access.

Different Types of Multi-Factor Authentication

Businesses that rely on MFA get to choose between a wide range of secondary factors to verify the identity of users. These authentication factors can be grouped into three distinct categories, which we explore below:

1. Things you know

Otherwise known as ‘knowledge factors’, ‘things you know’ factors rely on information that a user has previously committed to memory, kept a record of, or stored in a system like a password manager.

Examples include passwords comprised of a string of characters (that differ from the user’s primary authentication method) swipe patterns on mobile devices, or security questions like ‘What’s your mother’s maiden name?’ and ‘What was the profession of your grandfather?’.

This MFA method is generally reliable, as long as bad actors don’t have access to your personal information, or aren’t capable of cracking four-digit pins and simple passwords with brute-force methods.

2. Things you have

‘Things you have’ or ‘possession-based authentication’ involves users verifying their identity via something they uniquely own.

This can refer to physical devices, like mobile phones, hardware fobs, display cards, or digital assets like third-party authenticator apps, or email accounts. For example, major software systems like Microsoft and Google both offer their own authenticator app which randomly generates a code for users looking to gain entry to their accounts, and the same process applies to hardware devices.

‘Things you have’ factors are generally considered to be more secure than things you know factors, especially if the code is sent to physical devices like fobs and security tokens, which are much harder to breach than online systems.

3. Things you are

Lastly, ‘things you are’ or ‘inheritance’ methods rely on physical features or behavioral traits that are unique to users. This method largely involves biometric verification methods, including facial recognition, fingerprint scams, retina or iris scans, voice recognition, and behavioral biometrics like keystroke dynamics.

Biometric and behavioral methods are easily the most efficient secondary authentication factors as they don’t require users to switch to other applications or commit any information to memory. It’s also near-impossible for biometric data to be stolen or replicated by criminals, making them more secure than ‘things you know’ and ‘things you have’ factors.

However, despite the strengths of biometric verification, the authentication method does rely on collecting extremely sensitive information from individuals. While this poses no issues in the majority of cases, if the data isn’t collected and stored securely, it could place users at higher risk of falling victim to identity theft.

Why Should Businesses Enable Multi-Factor Authentication?

For businesses serious about fortifying their systems’ security in 2025, enabling multi-factor authentication isn’t just a nice to have, it’s a necessity. This is especially the case for those operating in industries like healthcare, education, and finance businesses, and other businesses handling particularly sensitive data.

If – for some reason – you need any more convincing, we outline why it is worth enabling the safeguard next.

Protects businesses against cyber threats

Instances of cyberattacks have vastly increased in recent years, costing global businesses an estimated $9.5 trillion in 2024 alone, and compromising unmeasurable amounts of individual and company data. As the number of attacks proliferates, so does their level of sophistication, as evolving technology like AI makes it easier than ever for opportunists to identify vulnerabilities.

While stand-alone passwords were once considered an adequate form of defense, this is no longer the case in 2025. Research shows that 7-character passwords can be cracked in an average of two seconds – even if they contain a mixture of numbers, upper case, and lower case letters – while weaker passwords can be breached instantly.

Therefore, by pairing password controls with additional verification methods, businesses are considerably less likely to fall victim to types of cybercrime like phishing attacks, brute force attacks, and credential stuffing. In fact, with research from Microsoft revealing that MFA makes you 99.9% less likely to be hacked, deploying the security method really should be a no-brainer.

Reduces human error

In addition to reducing the fallout caused by external threats, MFA can also drastically reduce cases of human error.

One key way it can do this is by mitigating risks associated with lost or stolen devices. For instance, if an employee loses their laptop or smartphone – or any other device containing sensitive information – MFA safeguards will make it nearly impossible for attackers to gain access to systems on the device.

MFA systems also include useful security features that alert users when bad actors try and log into their accounts from unusual locations. These alerts are instrumental ways to prevent company systems from being compromised by threats, as they give users a chance to block suspicious behavior before any damage occurs.

Helps businesses comply with regulations

Due to MFAs’ powerful ability to reduce cybersecurity risks, many industries require businesses to use the safeguard in order to meet compliance standards.

For instance, the security practice helps businesses comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, the Payment Card Industry Data Security Standard (PCI DSS) in financial industries, and the General Data Protection Regulation (GDPR) if they operate within Europe.

Businesses outside of these industries and jurisdictions may also benefit from using MFA in order to avoid hefty fines and legal consequences, so it’s always better to do your research than risk facing penalties.

Multi-Factor Authentication and AI

As artificial intelligence continues to move forward leaps and bounds, its incorporation into MFA is able to make the verification method even more secure.

One way the AI is able to level up MFA is by assessing the risk associated with each login attempt by considering factors like device type, time of access, and user location. If a login attempt seems to be suspicious, additional authentication methods can be triggered, helping to keep risks to a minimum.

AI is also able to improve the efficiency of biometric authentication methods like fingerprint scanning and facial recognition. It’s able to do so by analyzing more data points to ensure a secure match and making cases of spoofing much less common.

As it stands, MFA already has extremely high success rates. But paired with AI, the verification system represents a significant advancement in cyber security practices and will continue to play a crucial role in safeguarding information as the threat landscape evolves.

What’s more, as more cybercriminals harness AI to bypass MFA defenses, like in deceptive phishing attacks, it’s only becoming more important that the authentication method embraces the technology to make it’s defenses even stronger.

About our links

If you click on, sign up to a service through, or make a purchase through the links on our site, or use our quotes tool to receive custom pricing for your business needs, we may earn a referral fee from the supplier(s) of the technology you’re interested in. This helps Tech.co to provide free information and reviews, and carries no additional cost to you. Most importantly, it doesn’t affect our editorial impartiality. Ratings and rankings on Tech.co cannot be bought. Our reviews are based on objective research analysis. Rare exceptions to this will be marked clearly as a ‘sponsored’ table column, or explained by a full advertising disclosure on the page, in place of this one. Click to return to top of page

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Isobel O'Sullivan (BSc) is a senior writer at Tech.co with over four years of experience covering business and technology news. Since studying Digital Anthropology at University College London (UCL), she’s been a regular contributor to Market Finance’s blog and has also worked as a freelance tech researcher. Isobel’s always up to date with the topics in employment and data security and has a specialist focus on POS and VoIP systems.
Back to top
close Businesses can now use 1Password Teams FREE for 6 months. Plus, get an exclusive 25% discount from Tech.co after that: Try 1Password Teams