If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Multi-factor authentication

Using a password is the most common form of authentication, but it is not the only form of authentication—nor is it the most secure. An attacker only has to learn a single piece of information (e.g. a password) to authenticate.
A more secure way to protect unwanted access to private data is multi-factor authentication, which requires multiple pieces of information to authenticate.

Authentication factors

Authentication requires you to present evidence to prove your identity. This evidence comes in three common forms:
  1. Evidence based on knowledge (i.e. something you know). You often prove your identity to a website by presenting them evidence in the form of a password. Your password represents something you know. Other examples include PINs or phrases.
Illustration of a thought bubble with the password "Be3tP@ssw0rd3ver"
  1. Evidence based on possession (i.e., something you have). ATMs verify users’ identities by requiring them to provide their bank cards as proof. Your bank card represents something you have. Examples include phones, keys, or security token devices.
Illustration of a hand holding an ATM card
  1. Evidence based on inherence (i.e., something you are). Newer phones can authenticate you by scanning your fingerprint. Your fingerprint represents something you are. Other examples include facial or voice recognition.
Illustration of a thumbprint and a woman speaking with sound waves coming out
The different forms of evidence are also known as factors of authentication. Other authentication factors exist (e.g., somewhere you are), but the ones above are the most commonly used.
Attackers can steal these factors of authentication to obtain unauthorized access to an account. Depending on the location of the attacker, certain forms of evidence are easier to steal than others. For instance, a remote attacker may find it easier to steal passwords than bank cards, whereas a local one may find the opposite easier.
Illustration of two attackers: the attacker on the left is shown monitoring a password being sent in plain text over the Internet, the attacker on the right is shown stealing an ATM card

Multi-factor authentication

To defend against both local and remote attacks, authentication systems use a common access control technique known as multi-factor authentication (MFA).
MFA requires a user to present evidence from multiple distinct factors (e.g. something you know and something you have) to gain access to a system.

Two-factor authentication

The most popular form of MFA uses two factors for authentication. Two-factor authentication (2FA) requires two proofs of identity and those two proofs must be from two different factors.
An authentication system requiring a password and PIN only uses one factor even though it asks for two pieces of evidence. Passwords and PINs fall into the knowledge factor, so that authentication system fails to meet the requirements of multi-factor authentication.
So if that system does not use two-factor authentication, what does an actual 2FA system look like? A common scheme first prompts you to enter a password (something you know) and then asks you to type a code generated on your phone (something you have).
Let's step through the two-factor authentication flow for signing into Github, a website for source code repositories and version control.
First, Github asks me to fill in a username and password:
Screenshot of Github login screen with two form fields (one for username, one for password) and a button that says "Sign in".
Github prompts me to enter an authentication code generated by an application on my device:
Screenshot of Github 2FA screen with a form field labeled "authentication code" and a button labeled "Verify". Text at the bottom says "Open the two-factor authentication app on your device to view your authentication code and verify your identity."
I open an authentication app on my phone and see the generated code for my Github account:
Photo of a hand holding a phone with an app open. The app is titled "Authenticator" and shows the code "188 071" labeled as "Github".
If you look closely, you’ll see a timer that counts down until the generated code expires. Once the countdown finishes, a new code will be generated, and the timer will be reset. Many 2FA systems add an expiration date to a piece of evidence to prevent attackers from using it forever.
Because the generated code will expire in a few minutes, I have to quickly paste it into the Github website on my laptop:
Screenshot of Github 2FA screen with a form field labeled "authentication code" and a button labeled "Verify". Field is filled out but contents are disguised as dots.
And after that, I'm now signed into my Github account!
The extra step of using my phone to generate a code more than doubled the time and complexity of signing into Github, but it also makes it much harder for an attacker to break into my Github account.
In May 2019, multiple users on Github discovered their code repositories wiped out and replaced with a ransom note. The users weren't using 2FA and had accidentally exposed their passwords, and that made it easy for attackers to take control of their accounts. That's why Github strongly recommends 2FA. 1
Since each additional factor of authentication adds another layer of security against attacks, why not use 3FA or even 4FA? It can be inconvenient for users to present 3 or more forms of evidence to authenticate, especially since systems often require re-authentication after a certain time. This is an example of a common trade-off in cybersecurity: usability vs security. As the security of a system increases, the usability of it may have to decrease.


To protect our accounts, it's best to use multi-factor authentication in addition to a strong password. According to a Google research study, MFA prevented more attacks than single-factor authentication, preventing 100% of the attacks from automated bots and significantly reducing other attacks. 2
It's not possible to use MFA if the website does not support it, but as more websites upgrade their systems to support MFA, we can occasionally check to see if they now support MFA. If you use a password manager, it may even notify you when one of your accounts can be MFA-protected.
We also need to be careful to ensure evidence from one factor does not contain evidence from another factor. For instance, if you store passwords in your phone’s Notes app and someone manages to steal and unlock your phone, they would have access to both possession-based evidence and knowledge-based evidence. 😬
🤔 When a system uses multiple factors of authentication, it stores more information about you. Is this a privacy concern?

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?