Multi-factor authentication (MFA) is a login method that requires two or more independent proofs of identity — typically something you know (a password), something you have (a phone or hardware key), and something you are (a fingerprint) — before granting access to an account or system. A stolen password alone becomes useless to an attacker if a second factor is required, which is why MFA is one of the highest-leverage controls in identity security. Microsoft's own telemetry found that accounts with MFA enabled were more than 99% less likely to be compromised than accounts without it. Yet MFA is not a silver bullet: 2022 breaches at Uber, Cisco, and Twilio all involved attackers defeating MFA through push-bombing, SIM swapping, or social engineering rather than cracking the underlying cryptography. This glossary entry breaks down how MFA works, where it fails, and what "phishing-resistant" actually means in practice.
What is multi-factor authentication?
MFA is the practice of requiring at least two of three factor categories — knowledge, possession, and inherence — to verify a user's identity before authentication succeeds. A password paired with a one-time code from an authenticator app satisfies this because the password proves knowledge and the code proves possession of the enrolled device. NIST's Digital Identity Guidelines (SP 800-63B) formalize these categories and define "Authenticator Assurance Levels" (AAL1 through AAL3), with AAL2 requiring MFA and AAL3 requiring a hardware-backed, phishing-resistant authenticator. Single-factor logins that only ask for a password, no matter how complex, do not meet even the lowest MFA bar, which is why credential-stuffing attacks against password-only systems remain one of the most common initial access vectors tracked in Verizon's annual Data Breach Investigations Report.
How does MFA differ from two-factor authentication (2FA)?
2FA is a subset of MFA that specifically requires exactly two factors, while MFA is the broader term covering two or more. In practice the terms are used almost interchangeably in marketing materials, but the distinction matters for compliance mapping: PCI DSS 4.0, which became mandatory for all applicable requirements on March 31, 2025, explicitly requires MFA (not just 2FA) for all access into the cardholder data environment, including administrative access from within trusted networks — a tightening from PCI DSS 3.2.1, which only required it for remote access. A system that layers a password, a hardware key, and a biometric check is technically MFA (three factors) but would never be called "3FA" — the industry defaults to "MFA" once you exceed two factors.
What MFA methods are most resistant to phishing?
FIDO2/WebAuthn hardware security keys and platform passkeys are the most phishing-resistant MFA methods because they bind the credential cryptographically to the specific website domain, making the credential unusable on a lookalike phishing site. Google published results from a 2019 internal rollout showing zero successful account takeovers among more than 85,000 employees after mandating physical security keys, compared to measurable phishing losses in the prior period using SMS and app-based codes. By contrast, SMS one-time passcodes are the weakest common MFA method: they are vulnerable to SIM-swapping attacks, and NIST SP 800-63B has flagged SMS-based OTP as restricted since 2017 for exactly this reason. Push notifications sit in the middle — better than SMS, but vulnerable to "MFA fatigue" attacks where an attacker spams approval requests until a user taps accept, the technique used in the September 2022 Uber breach.
Why do attackers still bypass MFA even when it's enabled?
Attackers bypass MFA primarily by targeting the human approval step or the session token, not by breaking the cryptography. In the 2022 Uber breach, an attacker purchased stolen contractor credentials, then bombarded the contractor with MFA push requests until one was approved via a spoofed WhatsApp message posing as Uber IT support. In the 2022 Cisco breach, attackers used voice phishing (vishing) to get an employee to accept an MFA push after already compromising a personal Google account holding saved corporate passwords. A third and increasingly common technique is "adversary-in-the-middle" (AiTM) phishing kits like EvilProxy, which relay a live login session in real time to steal the post-authentication session cookie — rendering the MFA challenge moot because the attacker never needs to solve it, they just wait for the victim to. Microsoft's Digital Defense Report noted MFA-related attack volume, including push-bombing and AiTM phishing, rose sharply from 2022 into 2023 as password-only attacks became less viable.
Which regulations and standards require MFA?
MFA is an explicit requirement in most major security compliance frameworks that govern software vendors and enterprises today, including PCI DSS 4.0, HIPAA's Security Rule (via risk analysis requirements), SOC 2 (as a control commonly tested under the Security and Availability trust services criteria), FedRAMP, and CISA's Binding Operational Directive 18-02 for federal civilian agencies. The White House's May 2021 Executive Order 14028 directed federal agencies to implement MFA and encryption "within 180 days," accelerating adoption of phishing-resistant authenticators (specifically PIV cards and FIDO2 keys) across the federal government. Auditors reviewing a SOC 2 report will typically ask for evidence that MFA is enforced on every path into production systems, source code repositories, and cloud infrastructure consoles — not just customer-facing logins — since compromised developer or admin credentials are a direct path to a supply chain compromise.
How Safeguard Helps
MFA stops credential theft from becoming account takeover, but it does nothing to protect the software supply chain once an attacker is inside a CI/CD pipeline or a compromised dependency ships to production — that's the gap Safeguard closes. Safeguard generates and ingests SBOMs across your build pipeline to give security teams a real-time inventory of every package and its provenance, then applies reachability analysis so teams aren't stuck triaging thousands of theoretical CVEs that no running code actually calls. Griffin AI, Safeguard's analysis engine, correlates that reachability data with exploit maturity and package behavior to prioritize the small subset of findings that represent genuine risk, and auto-fix PRs let engineering teams remediate confirmed issues with a reviewable pull request instead of a manual patch cycle. Together, these controls complement identity protections like MFA by locking down the software artifacts and pipelines that strong authentication alone can't secure.