traffic_analyzer/DigitalVision V

Tip

Multifactor authentication: 5 examples and strategic use cases

Before implementing MFA, conduct a careful study to determine which security factors offer the strongest protection. Passwords and PINs aren't cutting it any longer.

Karen Scarfone
By
Published: 24 Jun 2025

Multifactor authentication has long been touted as a solution to the user account security problem. This multistep access verification measure helps not only ensure the right users access the right accounts, but also prevent adversaries from abusing legitimate users' credentials.

CISOs and security teams must carefully evaluate how they intend to implement MFA before using it to protect user account access. In many cases, stronger methods of MFA are required to sufficiently guard users against today's increasingly sophisticated social engineering and authentication-based attacks.

It is vital to measure the strength of every authentication factor before designing an enterprise MFA blueprint. CISOs should select those factors that provide the best defense against phishing and minimize unauthorized use of authenticators. Without investigating factors and their potential drawbacks, organizations could be lulled into a false sense of security.

Let's assess MFA and its role today by examining examples of authentication factors, business MFA use cases and best practices for every organization to follow.

5 examples of MFA

All MFA tools require users to provide at least two authentication factors. Factors can be broken down into three categories:

  1. Something the user knows. For example, a password or PIN.
  2. Something the user is. For example, a fingerprint or iris scan.
  3. Something the user has. For example, a hardware token.

MFA tools should use factors from different categories -- for example, a passphrase and facial scan, but not a password and a PIN.

Ideally, each authentication factor should be strong. Yet, in most cases, the first MFA method is a password or PIN, both of which are highly susceptible to phishing and other attacks. This means the other factors have to be even stronger.

Common examples of MFA to consider include the following.

Passwords, passphrases and PINs

These are codes, phrases and numbers that verify users. All three are generally insecure. Strong second or third authentication factors are crucial to protect accounts and access.

One-time passwords

There are several variations of OTPs -- codes that a user receives and enters into another system as an authentication factor. Most OTPs are time-based OTPs, meaning they change or time out every 30 seconds or so.

  • Emailed OTPs. These involve sending a code to a user's registered email address. Then, they must input the code to access the application, data or system. This factor is easy to use, but vulnerable if a user's email account is compromised.
  • SMS OTPs. These are text-based codes sent to a phone. These are known to be insecure and should not be used for MFA.
  • Call OTPs. Codes delivered over a phone call are also known to be insecure and should not be used for MFA.
  • Authenticator app OTPs. Generated by an app, such as Google Authenticator or Microsoft Authenticator, they correlate to the resource the user is trying to authenticate to. These are typically stronger than email, SMS, and call OTPs, and provide assurance that the person entering the OTP has possession of the user's smartphone. They are generally secure, as long as the user's device is not compromised.

Biometrics

Biometrics, such as fingerprint readers built into laptops and facial scanners built into smartphones, have become a quick and convenient authentication method. Yet, these methods are not infallible and can be affected by an individual's change in appearance, cuts on fingers and other circumstances. They also require users to have devices equipped with biometric capabilities, which are not ubiquitous by any means.

Location-based authentication

Users are verified based on their physical location. If a login occurs from an unknown location, additional authorization methods are required. While this ensures only users from certain regions can log in, it can be inconvenient for users and complex for security teams to manage.

Cryptographic authentication

Users prove they possess a secret or private cryptographic key. For example, the use of cryptographic hardware tokens such as YubiKeys (which can also be used for OTPs). While cryptographic authentication factors can be strong, they're only effective if they're with the user. They're easy to leave behind accidentally.

Phishing-resistant and adaptive MFA

Many MFA tools have added phishing-resistant MFA and adaptive MFA capabilities.

  • Phishing-resistant MFA is a type of authentication process that mitigates attacks MFA bypass attacks, such as push bombing, SIM swapping and phishing, using FIDO/WebAuthN authentication and PKI-based MFA.
  • Adaptive MFA adjusts authentication based on who is accessing the application, data or system and that person's risk profile. For example, adaptive MFA provides stronger authentication for riskier situations by requesting additional authentication methods.

Enterprise MFA use cases

MFA is part of an increasing number of use cases today, thanks in part to the rise in phishing attacks and other credential-stealing threats. Consider the following business MFA use cases.

Providing secure remote access

This is among the earliest uses of MFA, especially for users in locations without strong physical security controls. Teleworkers and employees traveling for business or working remotely often rely on MFA for security.

Enabling employee access to sensitive resources

This has been a mainstay of MFA for many years. It includes access to employees' and customers' sensitive personal data, financial account information and the organization's intellectual property and trade secrets. It lets users perform sensitive actions, such as bank transfers and anything else where the separation of duties is typically enforced.

Protecting customer access to sensitive resources

This is an increasingly popular MFA use case. Customers of financial institutions, healthcare providers and other services expect those organizations to restrict access to the customers' accounts, and that includes supporting phishing-resistant MFA. This makes it more difficult for others to steal money and access highly personal information.

MFA implementation best practices

The key to successful MFA implementation is to evaluate possible options ahead of time. This step enables CISOs and security teams to find issues and address MFA use cases before the full rollout.

The following are some helpful MFA implementation tips:

  • Use phishing-resistant MFA. Consider biometrics, OTPs and cryptographic authentication, as well as other methods. For example, if employees already carry company-issued cards for physical security purposes, these smartcards can potentially be used for MFA as well.
  • Think carefully about what users will do if they forget or lose one of their MFA methods. How, for example, will a user traveling internationally be able to access necessary resources if they leave their YubiKey at home?
  • Consider the security of the MFA implementation itself. If an attacker can successfully compromise an MFA implementation, such as taking over authentication services, it's game over. Ensure the MFA rollout is well secured and closely monitored to identify and stop any potential attacks as quickly as possible.

Learn five steps to roll out a successful MFA strategy.

Karen Scarfone is the principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.

Dig Deeper on Identity and access management