Multi-Factor Authentication (MFA)
An authentication method requiring users to provide two or more verification factors from different categories (knowledge, possession, inherence) to gain access.
Description
Multi-Factor Authentication (MFA) strengthens authentication by requiring users to prove their identity using multiple independent factors from different categories: something you know (password, PIN), something you have (phone, hardware key, authenticator app), and something you are (fingerprint, face recognition). The principle is that compromising one factor should not be sufficient to gain unauthorized access -- an attacker who steals a password still cannot authenticate without the second factor.
Common MFA implementations include TOTP codes generated by authenticator apps (Google Authenticator, Authy), SMS or email one-time codes (less secure due to SIM swapping and interception risks), push notifications to registered devices, and hardware security keys (YubiKey, Titan) using WebAuthn/FIDO2. The strongest implementations use phishing-resistant methods like WebAuthn, which binds the authentication to the specific origin (domain) and prevents man-in-the-middle attacks.
Implementing MFA requires careful UX consideration to balance security and usability. Provide recovery mechanisms (backup codes, recovery email) for when users lose access to their second factor. Support step-up authentication for sensitive operations (changing password, transferring funds) even if the user is already authenticated. Store MFA enrollment data securely -- TOTP secrets should be encrypted at rest, and recovery codes should be hashed. Consider adaptive MFA that only triggers based on risk signals (new device, unusual location, impossible travel).
Prompt Snippet
Implement MFA with support for TOTP (RFC 6238) and WebAuthn as second factors. During enrollment, generate a 160-bit TOTP secret, store it encrypted (AES-256-GCM) in the database, and present it as a QR code (otpauth:// URI). Validate TOTP codes with a time window of +/- 1 step (30 seconds) and track the last used timestamp to prevent replay. Generate 10 single-use recovery codes (hashed with bcrypt) during setup. Implement step-up authentication requiring MFA re-verification for sensitive operations like password changes. Use the WebAuthn API with resident keys for phishing-resistant passwordless option.
Tags
Related Terms
TOTP (Time-Based One-Time Passwords)
A one-time password algorithm that generates short-lived codes based on a shared secret and the current time, commonly used as a second authentication factor.
WebAuthn / Passkeys
A web standard for passwordless, phishing-resistant authentication using public-key cryptography with hardware or platform authenticators.
Password Hashing (bcrypt/argon2)
The practice of transforming passwords into irreversible hashes using intentionally slow, memory-hard algorithms to protect credentials at rest.
Brute Force Protection
A set of defense mechanisms that detect and block automated high-volume authentication attempts aimed at guessing credentials through exhaustive trial.
Session Management
The practice of securely creating, maintaining, and destroying user sessions to track authenticated state across stateless HTTP requests.