← Glossary·Security

MFA (Multi-Factor Authentication)

Also known as: 2FA · Two-Factor Authentication
SOC 2ISO 27001PCI DSSHIPAAGLBA

Authentication requiring two or more factors from independent categories (knowledge, possession, inherence).

Multi-Factor Authentication requires the user to present two or more independent authentication factors: something you know (password), have (token, phone), or are (biometric). Phishing-resistant MFA (FIDO2/WebAuthn) is required by NIST 800-63B AAL2/3 for high-risk systems.

Why it matters
Mandatory across SOC 2 CC6, ISO 27001 A.5.17, PCI 8.3, and the FTC Safeguards Rule. SMS OTP is now considered legacy — most frameworks expect phishing-resistant factors for privileged access.

Related terms

SSO (Single Sign-On)
Federated authentication via SAML 2.0 or OIDC against a central identity provider (Okta, Entra ID, Google).
Least Privilege (Principle of)
Users and services receive only the minimum access required to perform their function.
RBAC (Role-Based Access Control)
Access control model granting permissions to roles, and assigning users to roles.

Does your program actually cover MFA (Multi-Factor Authentication)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary