Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Back to basics: Multi-factor authentication (MFA)

This page is ARCHIVED. Please visit https://www.nist.gov/identity-access-management for current information on NIST’s Identity and Access Management work.

Here’s the traditional, not so secure way to log in to your bank account: enter your username and that familiar password you probably use for most of your online accounts. Then, you’re in. You can go about your business.

Not so fast! If you’re one of the 54% of consumers who, according to TeleSign, use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows hackers to take down multiple accounts just by cracking one password. The good news? There’s an easy way to better protect your accounts (which contain a lot of personal information) with multi-factor authentication (MFA).

What is MFA?

MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

  • swiped your bank card at the ATM and then entered your PIN (personal ID number).
  • logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

So look at a simple scenario: logging in to your bank account. If you’ve turned on MFA or your bank turned it on for you, things will go a little differently. First and most typically, you’ll type in your username and password. Then, as a second factor, you’ll use an authenticator app, which will generate a one-time code that you enter on the next screen. Then you’re logged in – that’s it!

Image representing multifactor authentication.  Includes password plus multifactor authentication to equal login.
Credit: NIST/Natasha Hanacek

In most cases it’s even easier than that. Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor. Between device recognition and analytics the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.

So what’s the big deal?

MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone. You would definitely notice if your phone went missing, so you’d report it before a thief could use it to log in. Plus, your phone should be locked, requiring a PIN or fingerprint to unlock, rendering it even less useful if someone wants to use your MFA credentials.

Using 2FA is one of the top three things that security experts do to protect their security online, according to recent Google survey. And consumers feel the same way: almost 9 in 10 (86%) say that using 2FA makes them feel like their online information is more secure, according to TeleSign.

When should I use MFA?

Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim.

You should use MFA whenever possible, especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. While some organizations require you to use MFA, many offer it as an extra option that you can enable—but you must take the initiative to turn it on. Furthermore, if a business you interact with regularly, say your health organization, wants to provide you with convenient online access to health records, test results, and invoices, but only offers a password as a way to protect that data, consider saying: ‘no thanks, not until you provide MFA to secure my information.’

You can find a list of websites that offer MFA here and step-by-step instructions for enabling it for your accounts here. You can even use this browser extension that was created as a result of last year’s National Day of Civic Hacking challenge that we hosted; it lets you know which of the websites you use offer MFA—and makes it easy to call out those that don’t.

It’s simple: turn on MFA today!

 

This content was originally shared on the blog.

Created June 28, 2016, Updated June 12, 2023