If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Multi-factor authentication

AP.CSP:
IOC‑2.B (LO)
,
IOC‑2.B.1 (EK)
,
IOC‑2.B.3 (EK)
,
IOC‑2.B.4 (EK)
Using a password is the most common form of authentication, but it is not the only form of authentication—nor is it the most secure. An attacker only has to learn a single piece of information (e.g. a password) to authenticate.
A more secure way to protect unwanted access to private data is multi-factor authentication, which requires multiple pieces of information to authenticate.

Authentication factors

Authentication requires you to present evidence to prove your identity. This evidence comes in three common forms:
  1. Evidence based on knowledge (i.e. something you know). You often prove your identity to a website by presenting them evidence in the form of a password. Your password represents something you know. Other examples include PINs or phrases.
Illustration of a thought bubble with the password "Be3tP@ssw0rd3ver"
  1. Evidence based on possession (i.e., something you have). ATMs verify users’ identities by requiring them to provide their bank cards as proof. Your bank card represents something you have. Examples include phones, keys, or security token devices.
Illustration of a hand holding an ATM card
  1. Evidence based on inherence (i.e., something you are). Newer phones can authenticate you by scanning your fingerprint. Your fingerprint represents something you are. Other examples include facial or voice recognition.
Illustration of a thumbprint and a woman speaking with sound waves coming out
The different forms of evidence are also known as factors of authentication. Other authentication factors exist (e.g., somewhere you are), but the ones above are the most commonly used.
Attackers can steal these factors of authentication to obtain unauthorized access to an account. Depending on the location of the attacker, certain forms of evidence are easier to steal than others. For instance, a remote attacker may find it easier to steal passwords than bank cards, whereas a local one may find the opposite easier.
Illustration of two attackers: the attacker on the left is shown monitoring a password being sent in plain text over the Internet, the attacker on the right is shown stealing an ATM card

Multi-factor authentication

To defend against both local and remote attacks, authentication systems use a common access control technique known as multi-factor authentication (MFA).
MFA requires a user to present evidence from multiple distinct factors (e.g. something you know and something you have) to gain access to a system.

Two-factor authentication

The most popular form of MFA uses two factors for authentication. Two-factor authentication (2FA) requires two proofs of identity and those two proofs must be from two different factors.
An authentication system requiring a password and PIN only uses one factor even though it asks for two pieces of evidence. Passwords and PINs fall into the knowledge factor, so that authentication system fails to meet the requirements of multi-factor authentication.
So if that system does not use two-factor authentication, what does an actual 2FA system look like? A common scheme first prompts you to enter a password (something you know) and then asks you to type a code generated on your phone (something you have).
Let's step through the two-factor authentication flow for signing into Github, a website for source code repositories and version control.
First, Github asks me to fill in a username and password:
Screenshot of Github login screen with two form fields (one for username, one for password) and a button that says "Sign in".
Github prompts me to enter an authentication code generated by an application on my device:
Screenshot of Github 2FA screen with a form field labeled "authentication code" and a button labeled "Verify". Text at the bottom says "Open the two-factor authentication app on your device to view your authentication code and verify your identity."
I open an authentication app on my phone and see the generated code for my Github account:
Photo of a hand holding a phone with an app open. The app is titled "Authenticator" and shows the code "188 071" labeled as "Github".
If you look closely, you’ll see a timer that counts down until the generated code expires. Once the countdown finishes, a new code will be generated, and the timer will be reset. Many 2FA systems add an expiration date to a piece of evidence to prevent attackers from using it forever.
Because the generated code will expire in a few minutes, I have to quickly paste it into the Github website on my laptop:
Screenshot of Github 2FA screen with a form field labeled "authentication code" and a button labeled "Verify". Field is filled out but contents are disguised as dots.
And after that, I'm now signed into my Github account!
The extra step of using my phone to generate a code more than doubled the time and complexity of signing into Github, but it also makes it much harder for an attacker to break into my Github account.
In May 2019, multiple users on Github discovered their code repositories wiped out and replaced with a ransom note. The users weren't using 2FA and had accidentally exposed their passwords, and that made it easy for attackers to take control of their accounts. That's why Github strongly recommends 2FA. start superscript, 1, end superscript
Since each additional factor of authentication adds another layer of security against attacks, why not use 3FA or even 4FA? It can be inconvenient for users to present 3 or more forms of evidence to authenticate, especially since systems often require re-authentication after a certain time. This is an example of a common trade-off in cybersecurity: usability vs security. As the security of a system increases, the usability of it may have to decrease.

Recommendations

To protect our accounts, it's best to use multi-factor authentication in addition to a strong password. According to a Google research study, MFA prevented more attacks than single-factor authentication, preventing 100% of the attacks from automated bots and significantly reducing other attacks. squared
It's not possible to use MFA if the website does not support it, but as more websites upgrade their systems to support MFA, we can occasionally check to see if they now support MFA. If you use a password manager, it may even notify you when one of your accounts can be MFA-protected.
We also need to be careful to ensure evidence from one factor does not contain evidence from another factor. For instance, if you store passwords in your phone’s Notes app and someone manages to steal and unlock your phone, they would have access to both possession-based evidence and knowledge-based evidence. 😬
🤔 When a system uses multiple factors of authentication, it stores more information about you. Is this a privacy concern?

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • blobby purple style avatar for user Grace
    Why does there have to be an authentication code?
    (4 votes)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user KLaudano
      Entering the authentication code proves that the person logging into the account has the phone associated with that account. So, if someone wanted to hack into the account, they would not only need the username and password, but they would also have to get ahold of the phone to obtain the authentication code. If the hacker is a bot or a person that lives far away, this would be extremely difficult to do.
      (3 votes)
  • leaf red style avatar for user Gamar
    Doesn't using a phone authenticator do little to nothing or make it worse when it comes to privacy and security considering how unsafe a cellphone is compared to a PC setup with a VPN?
    (3 votes)
    Default Khan Academy avatar avatar for user
    • hopper cool style avatar for user Muhammad Fachrudin
      It's like the bank card analogy, a phone is something you have. The hacker is very unlikely to have access to your phone too(except if they plant some malware on your phone or something, which is very unlikely except you're being specifically targeted). Also, adding another factor of authentication will never make something less secure, as long as the all of the factors are independent(doesn't contain clue to another factor like the last paragraph said).
      (4 votes)
  • female robot grace style avatar for user S
    Can't you fake a fingerprint? I read once that some basic fingerprint scanners can be tricked by just being shown a picture of a fingerprint, because they use cameras. Of course, I know that some factors of authentication can't be fake, but what about fingerprints, and others? Or pictures of a user's face, for facial recognition?
    (3 votes)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user KLaudano
      There are several types of fingerprint scanners; optical, capacitance, and ultrasonic. The optical sensors could possibly be fooled by pictures, but that will not work on the other two. With plenty of time and more sophisticated methods, it is possible to trick the other two sensors, but it is generally impractical to do so.

      As for facial recognition, less sophisticated models can also be fooled with simple pictures. However, better facial scanners will use infrared cameras and will not be tricked with a picture. Again, even better facial scanners can be fooled, but not without prohibitive difficulty.
      (2 votes)
  • aqualine ultimate style avatar for user Life O'clock
    hi how is you today?
    (2 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user AlexisH
    Why does there have to be an authentication code?
    (2 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Abdullah Sarfraz
    Wow! It's very cool that how our fingerprints are unique and different even though there are trillions of people here or almost infinity if thinking about new offspring. I can't thank God(Allah) enough for making these things. He has done what wasn't expected.
    (2 votes)
    Default Khan Academy avatar avatar for user
  • ohnoes default style avatar for user apphiabisrael
    Evidence based on possession (i.e., something you have). ATMs verify users’ identities by requiring them to provide their bank cards as proof. Your bank card represents something you have. Examples include phones, keys, or security token devices.
    (0 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user James ivory mann
    what if you get a new number and don't remember the password?
    (0 votes)
    Default Khan Academy avatar avatar for user