Multi-Factor Authentication (MFA)
Definition
Multi-Factor Authentication (MFA) is an access control method that requires a user to prove their identity using two or more independent factors before access is granted. Factors typically come from different categories: something you know (like a password or PIN), something you have (like a hardware token or authenticator app), and something you are (like a fingerprint or facial recognition). MFA reduces the likelihood that a single compromised credential (especially a password obtained through phishing, credential stuffing, or data leaks) can be used to take over an account. In the CyberSecure Canada program context, MFA is a common expectation for strengthening authentication to critical services and higher-risk accounts, such as administrator accounts, remote access, email, and cloud applications. Effective MFA deployment includes selecting stronger factor types where risk is highest, enforcing MFA consistently across systems, defining exceptions with compensating controls, and maintaining evidence that MFA is enabled and monitored. MFA should be paired with good password practices, device security, and logging to provide defense-in-depth rather than relying on any single control. MFA is also commonly required or recommended by widely used security standards and best-practice guidance for remote and privileged access.
Real-World Examples
Startup cloud admin access
A startup requires MFA for cloud console admin accounts and blocks sign-ins without a second factor.
Scale-up remote workforce
A scale-up enforces MFA for VPN and single sign-on to reduce risk from stolen passwords and phishing.
Enterprise privileged operations
An enterprise uses phishing-resistant MFA for privileged actions and reviews logs for anomalous MFA prompts.
MFA is a sign-in method that requires two or more independent proofs of identity, reducing account takeover risk when a password is compromised.
After entering a primary credential, the user must complete an additional verification step, such as approving a push prompt or entering a one-time code.
2FA is a subset of MFA that uses exactly two factors, while MFA can use two or more factors depending on the risk and system requirements.
Common factors include passwords or PINs (knowledge), authenticator apps or tokens (possession), and biometrics like fingerprints (inherence).
MFA helps prevent unauthorized access and supports security expectations by reducing reliance on passwords alone and lowering the likelihood of breaches.
Organizations should require MFA for high-impact access paths such as admin accounts, remote access, email, and cloud applications, and for sensitive data systems.
SMS MFA can be vulnerable to SIM-swap and interception risks; authenticator apps, hardware keys, and passkeys are generally safer alternatives.
Phishing-resistant MFA uses methods that cannot be replayed by attackers, such as hardware security keys or passkeys, and is recommended for privileged access.
A smooth rollout uses staged enforcement, clear user guidance, self-service enrollment, backup methods, and monitoring to address issues before full enforcement.
Auditors often expect configuration screenshots or exports, policy settings, user enrollment reports, access logs showing MFA challenges, and exception tracking.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
