What is MFA?

An authentication method requiring two or more independent verification factors (something you know, have, or are) to prove identity before granting access.

MFA is the single most effective control for preventing credential-based attacks, which account for the majority of initial access in breaches. The factors are knowledge (password, PIN), possession (hardware token, smartphone authenticator app, smart card), and inherence (biometrics like fingerprint or facial recognition). True MFA requires factors from at least two different categories; a password plus a security question is not MFA because both are knowledge factors.

In SASE deployments, MFA is enforced at the identity provider and evaluated by the ZTNA policy engine. Adaptive MFA adds contextual signals: a user logging in from a recognized device on the corporate network might only need a push notification, while the same user connecting from a new device in an unusual location might be prompted for a hardware token plus biometric. Step-up authentication triggers additional MFA for high-risk actions like accessing sensitive applications or downloading restricted data.

The key implementation consideration is phishing resistance. SMS-based OTPs and even push notifications are vulnerable to real-time phishing and MFA fatigue attacks. FIDO2/WebAuthn hardware keys and passkeys provide phishing-resistant authentication because the cryptographic challenge is bound to the legitimate domain, making man-in-the-middle relay attacks impossible.

One email per publish. Unsubscribe anytime.