What is Multi-Factor Authentication?

What Is Multi-Factor Authentication?

Multi-factor authentication -- commonly shortened to MFA -- is a security method that requires a person to prove their identity in more than one way before they can log in, access data, or complete a transaction. Instead of relying on a single password, MFA asks for two or more independent pieces of evidence drawn from different categories. If one factor is compromised, the remaining factors still protect the account.

The concept is not new. Cash machines have used a version of it for decades -- you need both a physical card (something you have) and a PIN (something you know). What has changed is the range of technologies available and the number of contexts where MFA is now expected, especially in payment processing.

The Three Authentication Factors

Something You Know

This is the classic knowledge factor -- a password, PIN, passphrase, or answer to a security question. It is the most familiar form of authentication but also the weakest when used alone. Passwords can be guessed through brute-force attacks, harvested in phishing campaigns, or exposed in data breaches. Despite decades of advice about strong passwords, studies consistently show that people reuse them across multiple sites.

Something You Have

The possession factor proves you control a specific physical device. Common examples include a smartphone receiving a one-time passcode via SMS or an authenticator app, a hardware security key like a YubiKey, a smart card, or a SIM card. The strength of this factor lies in the fact that an attacker needs physical access to the device -- they cannot steal it remotely the way they might steal a password.

Something You Are

Biometric factors use your unique biological characteristics -- fingerprint scans, facial recognition, iris patterns, voice prints, or even typing rhythms (behavioural biometrics). These are the hardest to forge, though they come with their own considerations: biometric data cannot be reset like a password, so its protection is critical.

How MFA Works in Practice

A typical MFA flow looks like this: you enter your username and password (knowledge factor), then the system sends a push notification to your phone or asks you to open an authenticator app (possession factor). Only when both checks pass does the system grant access. Some implementations add a third step -- for example, a fingerprint scan on the phone itself before the push notification is approved.

The key principle is that the factors must be independent. Using two passwords does not count as MFA because both are knowledge factors. Similarly, a fingerprint plus a face scan uses two biometric factors from the same category, which provides less protection than combining factors from different categories.

MFA and Payment Security

In the payments world, MFA has moved from best practice to legal requirement in many jurisdictions. The EU's Revised Payment Services Directive (PSD2) introduced Strong Customer Authentication (SCA), which mandates that electronic payments above certain thresholds must be authenticated using at least two independent factors. The UK adopted equivalent rules. This is why online shoppers are now routinely redirected to their banking app to approve a purchase.

For card-not-present transactions -- including phone payments and e-commerce -- 3D Secure 2 (3DS2) is the primary mechanism for delivering SCA. The customer's bank decides whether additional authentication is needed based on risk signals. If it is, the customer might be asked to approve the transaction in their mobile banking app using a combination of their device (possession) and a fingerprint or PIN (biometric or knowledge).

MFA Under PCI DSS

PCI DSS has its own MFA requirements, focused on protecting the cardholder data environment (CDE). Under PCI DSS v4.0, multi-factor authentication is required for all access to the CDE, not just remote access as in earlier versions. This means:

• Anyone logging into systems that store, process, or transmit card data must use MFA
• Remote access connections -- such as VPN sessions used by administrators or third-party vendors -- must require MFA before any access to payment systems
• Each authentication factor must be validated independently, so a system cannot combine the username/password prompt and the one-time code into a single step
• MFA mechanisms must be resistant to replay attacks, meaning a captured authentication token cannot be reused

These requirements apply to anyone with access to the CDE -- employees, contractors, and third-party service providers alike.

Common MFA Methods Compared

• SMS one-time codes Widely used but increasingly discouraged for high-security contexts. SMS can be intercepted through SIM-swapping attacks, where a criminal convinces a mobile carrier to transfer the victim's phone number to a new SIM card.
• Authenticator apps (TOTP) Apps like Google Authenticator or Microsoft Authenticator generate time-based codes that refresh every 30 seconds. More secure than SMS because the codes never leave the device.
• Push notifications The user receives a push notification and taps to approve. Convenient, but vulnerable to "MFA fatigue" attacks where the attacker repeatedly triggers notifications until the user taps approve out of frustration.
• Hardware security keys (FIDO2/WebAuthn) Physical keys that connect via USB or NFC. Considered the gold standard because they are phishing-resistant -- the key cryptographically verifies the website it is communicating with.
• Biometric authentication Fingerprints, facial recognition, or voice. Often used as a second factor alongside a device (e.g., approving a banking app transaction with a fingerprint on your phone).

MFA for Telephone Payments

Phone payments present an interesting challenge for MFA. A traditional voice call is not well-suited to multi-factor flows because the customer is interacting through audio alone. However, hybrid approaches have emerged. A customer might initiate a payment over the phone, and then receive a 3DS2 challenge on their smartphone that they complete using their banking app and a biometric scan. This combines the voice channel with a digital authentication step.

For businesses processing payments over the phone, MFA is less about authenticating the caller directly and more about protecting the systems that handle card data. Agents accessing payment platforms, supervisors reviewing transaction logs, and IT administrators managing the infrastructure -- all of these roles must use MFA to access the cardholder data environment.

Implementing MFA Effectively

Rolling out MFA involves balancing security with usability. Push too hard and users will find workarounds. Make it too easy and you undermine the security benefit. Best practices include:

• Start with the highest-risk access points -- remote access, admin accounts, payment systems -- and expand from there
• Offer multiple factor options so users are not locked out if one device is unavailable
• Use adaptive MFA that adjusts requirements based on risk signals (e.g., new device, unusual location, high-value transaction)
• Train users to recognise MFA fatigue attacks and never approve notifications they did not initiate
• Ensure backup and recovery processes exist for lost devices without creating a backdoor that bypasses MFA entirely