Term · 2. Authentication & Authorization

Multi-factor Authentication MFA

Multi-factor authentication (MFA) requires two or more independent factors from different categories — knowledge (password), possession (phone, token) and inherence (biometric) — so a stolen password alone cannot grant access. Phishing-resistant methods (FIDO2, passkeys) are now preferred over SMS or OTP. Mandated or expected by GDPR, PCI DSS v4.0.1, NIS2 and NIST SP 800-63.

IDM/IGA Domain

AuthN DORA FIDO HIPAA ISO/IEC NIST OWASP GDPR PCI DSS Introduced by: Big4 (Deloitte / PwC / EY / KPMG)

Definition

Authentication requiring two or more independent factors from different categories: knowledge (password), possession (phone, token), inherence (biometric). Mandated by GDPR Art. 32 (appropriate measures), PCI DSS, HIPAA Security Rule, and most security frameworks. Strength varies: SMS-based MFA is weaker (SIM-swap risk) than authenticator app (TOTP) which is weaker than FIDO2/passkey (phishing-resistant).

Application: MidPoint: Multi-factor authentication (MFA) is a composite mechanism, combining several independent authentication factors in a single authentication session.

SailPoint: Integration with IdP (Okta, Azure AD, Ping) — IIQ does not natively provide MFA

Standards & regulations

NIST SP 800-63-4 «multi-factor authentication (MFA): An authentication system that requires more than one distinct type of authentication factor for successful authentication. MFA can be performed using a multi-factor »
NIST SP 800-63B «Multi-Factor Authentication (MFA). An authentication system that requires more than one distinct authentication factor for successful authentication. Multi-factor authentication can be performed using»
NIST SP 800-53 Rev. 5 «multi-factor authentication: An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed »
NIST SP 800-171 Rev. 3 «multi-factor authentication: Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptogra»
NIST IR 8523 «multi-factor authentication (MFA): An authentication system that requires more than one distinct type of authentication factor for successful authentication. MFA can be performed using a multi-factor »
NIST SP 800-66 Rev. 2 «Multi-Factor Authentication (MFA): Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cry»
NIST SP 800-82 Rev. 3 «Multi-Factor Authentication (MFA): Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cry»
ISO/IEC 29115:2013 «multi-factor authentication: Authentication using more than one authentication factor. Typical factors include something the entity knows, something the entity possesses, and something the entity is.»
RFC 4949 «multifactor authentication (MFA): An authentication process that requires the use of two or more of the three authentication factors: something you know, something you have, and something you are.»

Sources

NIST SP 800-63B (MFA guidance) primary source

Related terms

← Back to glossary · Open in main list

FAQ

Frequently asked questions

What is multi-factor authentication (MFA)?

MFA combines two or more factors from different categories — something you know, something you have, something you are — so compromising one factor is not enough. It is the single highest-impact control against credential theft and phishing.

Is SMS-based MFA secure enough?

SMS and OTP beat passwords alone but are vulnerable to SIM-swap and phishing. Phishing-resistant methods — FIDO2 security keys and passkeys — are the current best practice and are explicitly preferred by PCI DSS v4.0.1 and NIST SP 800-63-4.

Where is MFA mandatory?

PCI DSS v4.0.1 requires MFA on all cardholder-data-environment access; NIS2 requires it for administrative and remote access; and NIST SP 800-63 defines the authenticator assurance levels used as a global reference.