Multi-factor authentication (MFA)

MFA typically involves three factors of authentication:

1. Something the user knows (such as a password, PIN, or answer to a security question)

2. Something the user has (such as a token, smart card, or mobile device)

3. Something the user is (such as a biometric like a fingerprint, facial recognition, or iris scan)

By requiring multiple forms of authentication, MFA provides an additional layer of security beyond traditional password-based authentication, which is vulnerable to attacks such as password guessing, phishing, and credential stuffing.

MFA is becoming increasingly important for securing access to sensitive data, systems, and applications, and it is often required by industry regulations and standards. Many services and applications now offer MFA options to users, such as SMS codes, authenticator apps, or biometric authentication, to ensure that only authorized users can access their accounts or data.

Within our systems, MFA is primarily done using privacyIDEA, an open source software supporting a wide range of authentication options. Some of the supported types of MFA are Time based on time password (TOTP), U2F (devices specified by the FIDO alliance, such as YubiKeys) or WebAuthn (tokens such as Windows Hello).