If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Multi-factor authentication

Using a password is the most common form of authentication, but it is not the only form of authentication—nor is it the most secure. An attacker only has to learn a single piece of information (e.g. a password) to authenticate.
A more secure way to protect unwanted access to private data is multi-factor authentication, which requires multiple pieces of information to authenticate.

Authentication factors

Authentication requires you to present evidence to prove your identity. This evidence comes in three common forms:
  1. Evidence based on knowledge (i.e. something you know). You often prove your identity to a website by presenting them evidence in the form of a password. Your password represents something you know. Other examples include PINs or phrases.
Illustration of a thought bubble with the password "Be3tP@ssw0rd3ver"
  1. Evidence based on possession (i.e., something you have). ATMs verify users’ identities by requiring them to provide their bank cards as proof. Your bank card represents something you have. Examples include phones, keys, or security token devices.
Illustration of a hand holding an ATM card
  1. Evidence based on inherence (i.e., something you are). Newer phones can authenticate you by scanning your fingerprint. Your fingerprint represents something you are. Other examples include facial or voice recognition.
Illustration of a thumbprint and a woman speaking with sound waves coming out
The different forms of evidence are also known as factors of authentication. Other authentication factors exist (e.g., somewhere you are), but the ones above are the most commonly used.
Attackers can steal these factors of authentication to obtain unauthorized access to an account. Depending on the location of the attacker, certain forms of evidence are easier to steal than others. For instance, a remote attacker may find it easier to steal passwords than bank cards, whereas a local one may find the opposite easier.
Illustration of two attackers: the attacker on the left is shown monitoring a password being sent in plain text over the Internet, the attacker on the right is shown stealing an ATM card

Multi-factor authentication

To defend against both local and remote attacks, authentication systems use a common access control technique known as multi-factor authentication (MFA).
MFA requires a user to present evidence from multiple distinct factors (e.g. something you know and something you have) to gain access to a system.

Two-factor authentication

The most popular form of MFA uses two factors for authentication. Two-factor authentication (2FA) requires two proofs of identity and those two proofs must be from two different factors.
An authentication system requiring a password and PIN only uses one factor even though it asks for two pieces of evidence. Passwords and PINs fall into the knowledge factor, so that authentication system fails to meet the requirements of multi-factor authentication.
So if that system does not use two-factor authentication, what does an actual 2FA system look like? A common scheme first prompts you to enter a password (something you know) and then asks you to type a code generated on your phone (something you have).
Let's step through the two-factor authentication flow for signing into Github, a website for source code repositories and version control.
First, Github asks me to fill in a username and password:
Screenshot of Github login screen with two form fields (one for username, one for password) and a button that says "Sign in".
Github prompts me to enter an authentication code generated by an application on my device:
Screenshot of Github 2FA screen with a form field labeled "authentication code" and a button labeled "Verify". Text at the bottom says "Open the two-factor authentication app on your device to view your authentication code and verify your identity."
I open an authentication app on my phone and see the generated code for my Github account:
Photo of a hand holding a phone with an app open. The app is titled "Authenticator" and shows the code "188 071" labeled as "Github".
If you look closely, you’ll see a timer that counts down until the generated code expires. Once the countdown finishes, a new code will be generated, and the timer will be reset. Many 2FA systems add an expiration date to a piece of evidence to prevent attackers from using it forever.
Because the generated code will expire in a few minutes, I have to quickly paste it into the Github website on my laptop:
Screenshot of Github 2FA screen with a form field labeled "authentication code" and a button labeled "Verify". Field is filled out but contents are disguised as dots.
And after that, I'm now signed into my Github account!
The extra step of using my phone to generate a code more than doubled the time and complexity of signing into Github, but it also makes it much harder for an attacker to break into my Github account.
In May 2019, multiple users on Github discovered their code repositories wiped out and replaced with a ransom note. The users weren't using 2FA and had accidentally exposed their passwords, and that made it easy for attackers to take control of their accounts. That's why Github strongly recommends 2FA. 1
Since each additional factor of authentication adds another layer of security against attacks, why not use 3FA or even 4FA? It can be inconvenient for users to present 3 or more forms of evidence to authenticate, especially since systems often require re-authentication after a certain time. This is an example of a common trade-off in cybersecurity: usability vs security. As the security of a system increases, the usability of it may have to decrease.

Recommendations

To protect our accounts, it's best to use multi-factor authentication in addition to a strong password. According to a Google research study, MFA prevented more attacks than single-factor authentication, preventing 100% of the attacks from automated bots and significantly reducing other attacks. 2
It's not possible to use MFA if the website does not support it, but as more websites upgrade their systems to support MFA, we can occasionally check to see if they now support MFA. If you use a password manager, it may even notify you when one of your accounts can be MFA-protected.
We also need to be careful to ensure evidence from one factor does not contain evidence from another factor. For instance, if you store passwords in your phone’s Notes app and someone manages to steal and unlock your phone, they would have access to both possession-based evidence and knowledge-based evidence. 😬
🤔 When a system uses multiple factors of authentication, it stores more information about you. Is this a privacy concern?

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • female robot grace style avatar for user S
    Can't you fake a fingerprint? I read once that some basic fingerprint scanners can be tricked by just being shown a picture of a fingerprint, because they use cameras. Of course, I know that some factors of authentication can't be fake, but what about fingerprints, and others? Or pictures of a user's face, for facial recognition?
    (19 votes)
    • starky ultimate style avatar for user KLaudano
      There are several types of fingerprint scanners; optical, capacitance, and ultrasonic. The optical sensors could possibly be fooled by pictures, but that will not work on the other two. With plenty of time and more sophisticated methods, it is possible to trick the other two sensors, but it is generally impractical to do so.

      As for facial recognition, less sophisticated models can also be fooled with simple pictures. However, better facial scanners will use infrared cameras and will not be tricked with a picture. Again, even better facial scanners can be fooled, but not without prohibitive difficulty.
      (13 votes)
  • blobby purple style avatar for user Grace
    Why does there have to be an authentication code?
    (10 votes)
    • starky ultimate style avatar for user KLaudano
      Entering the authentication code proves that the person logging into the account has the phone associated with that account. So, if someone wanted to hack into the account, they would not only need the username and password, but they would also have to get ahold of the phone to obtain the authentication code. If the hacker is a bot or a person that lives far away, this would be extremely difficult to do.
      (11 votes)
  • leaf red style avatar for user Gamar
    Doesn't using a phone authenticator do little to nothing or make it worse when it comes to privacy and security considering how unsafe a cellphone is compared to a PC setup with a VPN?
    (5 votes)
    • hopper cool style avatar for user Muhammad Fachrudin
      It's like the bank card analogy, a phone is something you have. The hacker is very unlikely to have access to your phone too(except if they plant some malware on your phone or something, which is very unlikely except you're being specifically targeted). Also, adding another factor of authentication will never make something less secure, as long as the all of the factors are independent(doesn't contain clue to another factor like the last paragraph said).
      (7 votes)
  • starky seed style avatar for user MikeMike
    If Im just using Someone else free wifi and there setting in the room with me on the phone the same time as me. Is it a possibility im at risk at being hacked by them?
    (2 votes)
    • hopper happy style avatar for user TimeStop@3
      Yes, it is possible to be hacked by someone on the same wifi network. Everything you do over the internet is visible to people on the same network. Tools such as WireShark can allow a person to analyses what you do on the web in the form of web requests. Sites that use HTTPS encrypt web requests, making it much harder for someone to view. If you were to enter login information in a site that uses HTTPS, your username and password would be unreadable to someone looking at your network traffic. Never enter sensitive data in forms or logins that use HTTP, because data sent this way is not encrypted, and all communications can be viewed.

      Another way you can be hacked when connected to a network is if your computer has a vulnerability or misconfiguration that allows an attacker to connect and take control of your computer or phone. Usually, this can be prevented by installing the latest updates, and running antivirus scans regularly.

      It is best not to use public wifi. If you do, do not visit sites that require sensitive data, such as banks. If you can, wait until you get home to browse the internet. If you are at a friend's house, you are most likely not going to be hacked (unless their wifi network has been compromised). When in public, use your cellular data for internet activities, because others cannot look at what you do.
      (8 votes)
  • aqualine ultimate style avatar for user phan
    nguyen phu hai anh
    (2 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Kay.Kay30
    Let's say that you are using cellular data near a hacker. Could the hacker hack from there with the cellular data?
    (1 vote)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user PrettyPrincess
    Would you recommend using face ID?
    (0 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user rakeshrag
    What if someone has a recording of your voice? Would they still be able to hack into your account by playing the recording if it asks for voice verification?
    (0 votes)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user KLaudano
      Possibly, depending on how it is implemented. If it always asks you to say the same thing or just anything at all, then a recording might be able to fool it. However, if it asks you to say something like a word that appears on the screen and changes each time, then it would be significantly harder to use a recording to hack into the device. With the increasing usage of AI to mimic and generate voices for people though, even that would likely not be enough to stop someone from hacking into the device.
      (2 votes)
  • marcimus purple style avatar for user nadinepatchin
    if a hacker got into your phone would they be able to see your photos or stalk you?
    (1 vote)
    Default Khan Academy avatar avatar for user
  • duskpin sapling style avatar for user tazreen2022
    could the hacker trace our finger prints by any chance?
    (1 vote)
    Default Khan Academy avatar avatar for user