Definition
Multi-factor authentication requires evidence from at least two distinct authentication-factor categories before granting access to an account or sensitive action.
In market context
Factor categories include something known, possessed, or inherent; two passwords do not constitute two different factors. Authenticator apps, hardware security keys, and passkeys generally resist common attacks better than reusable passwords, while some methods remain vulnerable to phishing or account recovery abuse. MFA materially improves account security but must be paired with secure recovery, session review, and protection of enrolled devices.
Risk context
Never disclose an authentication code or approve an unexpected prompt; MFA fatigue and real-time phishing can bypass weaker methods.
Source
Use the primary source for fuller regulatory or market context.
