Multi-factor authentication, often abbreviated as MFA, isn’t just another security layer; it’s the fundamental shift from trusting devices to verifying people.
Let’s see it in action. Imagine logging into a service that requires MFA.
First, you enter your username and password. This is your first factor: something you know.
Next, the system prompts you for a code. This is often a Time-based One-Time Password (TOTP) from an app like Google Authenticator or Authy. This is your second factor: something you have (your phone). The code changes every 30-60 seconds, making it incredibly difficult for an attacker to reuse a captured code.
Alternatively, you might be prompted to use a hardware security key, like a YubiKey or a Titan Security Key. This is also something you have, but it’s a physical device that cryptographically signs your login attempt.
Even more advanced is a passkey. This uses public-key cryptography to authenticate you, stored securely on your device (phone, computer, or a dedicated security key). When you log in, your device uses its private key to sign a challenge from the server, proving you’re in possession of the correct device without ever transmitting a secret.
The core problem MFA solves is the inherent weakness of single-factor authentication. Passwords, even strong ones, can be phished, leaked in data breaches, or brute-forced. If an attacker gets your password, they have full access. MFA introduces a second hurdle that’s much harder to overcome. The system verifies your identity by confirming you possess a second, independent credential.
Internally, when you use TOTP, the server and your authenticator app both share a secret key. They use the same algorithm and the current time to generate a matching code. When you enter the code, the server checks if it matches its generated code. For hardware keys and passkeys, the process involves a cryptographic challenge-response. The server sends a random challenge, and your device uses its private key to sign it. The server, knowing your public key, can verify the signature. This proves you have the device without the private key ever leaving it.
The levers you control are the types of factors you enable and how you manage them. For TOTP, it’s ensuring your authenticator app is synced and backed up. For hardware keys and passkeys, it’s about securely storing them and having recovery methods.
The most surprising aspect of MFA, and particularly passkeys, is that they often make the login experience smoother and more secure simultaneously. Instead of typing a complex password and then a code, a single tap or biometric scan on your device can authenticate you. The security benefit comes from the cryptographic nature of hardware keys and passkeys, which are resistant to phishing and man-in-the-middle attacks in a way that TOTP codes are not.
The next step in identity assurance involves exploring context-aware access policies that dynamically adjust security requirements based on location, device, and user behavior.