Compliance Glossary

What is Multi-Factor Authentication?

Definition

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors to access a system. Factors include something you know (password), something you have (security token), and something you are (biometric).

In Depth

MFA is one of the most effective security controls available, reducing the risk of account compromise by over 99% according to industry research. Despite this, adoption remains inconsistent, making it a focal point for compliance auditors across all frameworks. SOC 2 auditors specifically look for MFA enforcement on production systems, cloud consoles, code repositories, and administrative interfaces. HIPAA considers MFA an addressable safeguard for systems accessing ePHI. ISO 27001 maps MFA to its authentication controls. Implementation should prioritize phishing-resistant methods such as hardware security keys (FIDO2/WebAuthn) and authenticator apps over SMS-based codes, which are vulnerable to SIM swapping attacks. Organizations should also consider adaptive MFA that adjusts authentication requirements based on risk signals like device trust, location, and behavior patterns. A comprehensive MFA rollout includes selecting an identity provider, defining which applications and user roles require MFA, establishing exception processes, and planning user training and support.

Related Frameworks

SOC 2
GDPR
HIPAA
ISO 27001

Related Terms

Access Control

Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.

Role-Based Access Control

Role-Based Access Control (RBAC) is an access management model where permissions are assigned to roles rather than individual users, and users are assigned to roles based on their job functions. This simplifies administration and ensures consistent access provisioning.

Zero Trust

Zero Trust is a security model based on the principle that no user, device, or network should be inherently trusted, regardless of location. Every access request must be continuously verified based on identity, device posture, and context before granting access.

Least Privilege

The principle of least privilege dictates that users, systems, and processes should be granted only the minimum level of access necessary to perform their legitimate functions. Access rights should be regularly reviewed and promptly revoked when no longer needed.

Compare FrameworksSolutions by Industry

Generate compliance docs with PoliWriter

Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.

Get Started Free