What is MFA (multi-factor authentication)?

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint. A second form of authentication can help prevent unauthorized account access if a system password has been compromised.

Why is multi-factor authentication necessary?

Digital security is critical in today's world because both businesses and users store sensitive information online. Everyone interacts with applications, services, and data that are stored on the internet using online accounts. A breach, or misuse, of this online information could have serious real-world consequences, such as financial theft, business disruption, and loss of privacy.

While passwords protect digital assets, they are simply not enough. Expert cybercriminals try to actively find passwords. By discovering one password, access can potentially be gained to multiple accounts for which you might have reused the password. Multi-factor authentication acts as an additional layer of security to prevent unauthorized users from accessing these accounts, even when the password has been stolen. Businesses use multi-factor authentication to validate user identities and provide quick and convenient access to authorized users.

What are the benefits of multi-factor authentication?

Reduces security risk

Multi-factor authentication minimizes risks due to human error, misplaced passwords, and lost devices.

Enables digital initiatives

Organizations can undertake digital initiatives with confidence. Businesses use multi-factor authentication to help protect organizational and user data so that they can carry out online interactions and transactions securely.

Improves security response

Companies can configure a multi-factor authentication system to actively send an alert whenever it detects suspicious login attempts. This helps both companies and individuals to respond faster to cyberattacks, which minimizes any potential damage.

How does multi-factor authentication work?

Multi-factor authentication works by requesting multiple forms of ID from the user at the time of account registration. The system stores this ID and user information to verify the user for next login. The login is a multi-step process that verifies the other ID information along with the password.

We describe the steps in the multi-factor authentication process below:


A user creates the account with username and password. They then link other items, such as a cell phone device or physical hardware fob, to their account. The item might also be virtual, such as an email address, mobile number, or authenticator app code. All these items help to uniquely identify the user and should not be shared with others.


When a user with MFA-enabled logs into a website, they are prompted for their username and password (the first factor–what they know), and an authentication response from their MFA device (the second factor–what they have).

If the system verifies the password, it connects to the other items. For example, it may issue a number code to the hardware device or send a code by SMS to the user's mobile device.


The user completes the authentication process by verifying the other items. For example, they might enter the code they have received or press a button on the hardware device. The user gets access to the system only when all the other information is verified.

Implementation of the process

Multi-factor authentication might be implemented in different ways. These are some examples:

  • The system asks for just the password and one more ID, called two-factor authentication or two-step authentication.
  • Instead of the system, a third-party application called an authenticator verifies the user's identity. The user enters the passcode into the authenticator, and the authenticator confirms the user to the system.
  • During verification, the user enters biometric information by scanning a fingerprint, retina, or other body part.
  • The system may request multiple authentications only when you access it for the first time on a new device. After that, it will remember the machine and ask only for your password.

What is adaptive multi-factor authentication?

Adaptive multi-factor authentication, or adaptive MFA, uses business rules and information about the user to determine which authentication factors it should apply. Businesses use adaptive authentication to balance security requirements with the user experience.

For example, adaptive authentication solutions can increase or decrease user authentication steps dynamically by using contextual user information such as:

  • Number of failed login attempts
  • Geographical location of the user
  • Geo-velocity or the physical distance between consecutive login attempts
  • Device being used for login
  • Day and time of login attempt
  • Operating system
  • Source IP address
  • User role

How can artificial intelligence improve multi-factor authentication?

Adaptive authentication solutions use artificial intelligence (AI) and machine learning (ML) to analyze trends and identify suspicious activity in system access. These solutions can monitor user activity over time to identify patterns, establish baseline user profiles, and detect unusual behavior, such as these actions:

  • Login attempts at unusual hours
  • Login attempts from unusual locations
  • Login attempts from unknown devices

ML algorithms assign risk scores to suspicious events and adjust multiple authentication factors in real time based on business policies. For example, if the behavior is classified as low-risk, the user can sign in with just a username and password. On the other hand, the user must enter an SMS code for medium-risk behavior, and if the behavior is high-risk, the user is denied access altogether.

What are examples of multi-factor authentication?

We give some examples of how businesses can use multi-factor authentication below:

Remote access to employees

A company wants to give remote resource access to its employees. It can set up multi-factor authentication requiring login, a hardware fob, and a fingerprint scan on company-issued laptops that the employees take home. Based on the employee's IP address, the company can set rules that the employee needs to use two-factor authentication when working from home. However, the company may require three-factor authentication when the employee is working on any other wifi network.

System access to on-site employees only

A hospital wants to give access to its health applications and patient data to all its employees. The hospital gives the employees a proximity badge to access these applications while they are at work. At the start of each shift, the employee has to log in and tap the badge to a central system. During the shift, they can access all resources with a single tap of the badge, without more login requirements. At the end of the shift, the single tap access rights end. This minimizes the risk of unauthorized access due to lost badges.

What are the multi-factor authentication methods?

MFA authentication methods are based on something you know, something you have and/or something you are. We describe some common authentication factors below:

Knowledge factor

In the knowledge factor method, users have to prove their identity by revealing information no one else knows. A typical example of this authentication factor is secret questions with answers only the user would know, such as the name of their first pet or their mother's maiden name. Applications may also request access to a four-digit pin code.

These methods are secure only as long as no one else discovers the secret information. Criminals might investigate the user's personal history or trick them into revealing this information. Pin codes can also be cracked using a brute-force method that guesses every four-digit number combination possible.

Possession factor

In the possession factor method, users identify themselves by something they uniquely own. Here are some examples:

  • Physical devices like mobile phones, security tokens,display cards, hardware fobs, and security keys.
  • Digital assets like email accounts and authenticator applications

The system sends a secret code as a digital message to these devices or assets, which the user then re-enters into the system. The account can be compromised if the device is lost or stolen. Some security tokens circumvent this problem by connecting directly to the system so that they cannot be digitally accessed.

Inherence factor

Inherence methods use information that is inherent to the user. These are a few examples of such authentication factors:

  • Fingerprint scans
  • Retina scans
  • Voice recognition
  • Facial recognition
  • Behavioral biometrics like keystroke dynamics 

The application has to collect and store this information along with the password during registration. The business managing the application has to protect biometrics along with passwords.

What are the best practices for setting up multi-factor authentication?

All businesses should set up enterprise-wide policies to restrict access and secure digital resources. The following are some of the best practices in access management:

Create user roles

You can fine-tune access control policies by grouping users into roles. For example, you can grant privileged admin users more access rights than end-users.

Create strong password policies

You should still enforce strong policies even if you have three or four-factor authentication. You can implement rules to create passwords with a combination of upper and lower case, special characters, and numbers.

Rotate security credentials

It is an excellent practice to ask your users to change passwords regularly. You can automate this process by having the system deny access until the password has been changed.

Follow least privilege policy

Always start new users at the lowest level of privilege and access rights in your system. You can increase privilege by manual authorization or gradually as the user builds trust through verified credentials.

What is AWS identity?

You can use AWS Identity Services to manage identities, resources, and permissions securely and at scale. For example, they give your:

  • Workforce a choice of where to manage the identities and credentials of your employees, and the fine-grained permissions to grant the right access, to the right people, at the right time.
  • Developers more time to build great apps for your customers by enabling them to add user sign-up, sign-in, and access control to your web and mobile apps quickly and effortlessly.

For example, for your customer-facing applications, Amazon Cognito helps you create a simple, secure, scalable, and standards-based sign-up and sign-in customer experience for your apps. Amazon Cognito supports multi-factor authentication and encryption of data at rest and in transit. It helps you meet multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants.

Additionally, AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.

Multi-Factor Authentication (MFA) is an AWS IAM feature that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs in to an AWS Management Console, it prompts them to enter their username and password (the first factor—what they know), as well as to enter an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

Next steps on AWS

Check out additional security, identity & compliance product resources
Learn more about security services 
Sign up for a free account

Instant get access to the AWS Free Tier.

Create a free account 
Start building in the console

Get started building in the AWS management console.

Sign in