Multifactor Authentication (MFA) is a security mechanism requiring users to provide multiple verification methods before gaining access to an account or system. Rather than relying solely on a password, MFA adds additional layers of protection that make unauthorized access significantly more difficult even when credentials have been stolen.
MFA is a critical defense against credential phishing, business email compromise, and account takeover attacks, as it ensures that stolen passwords alone are insufficient for attackers to gain access.
How MFA Works: When a user with MFA enabled logs into a system, they are prompted for their username and password (the first factor—something they know), followed by an authentication response from a second factor such as an authenticator app, SMS code, or hardware token. Access is granted only when all factors are successfully verified.
Authentication Factor Categories
Something You Know: Knowledge-based factors such as passwords, PINs, or security questions. This is the most commonly used but also most easily compromised factor.
Something You Have: Possession-based factors including mobile devices with authenticator apps (such as Google Authenticator or Microsoft Authenticator), hardware security keys (such as YubiKey), or smart cards.
Something You Are: Biometric factors including fingerprints, facial recognition, iris scans, or voice patterns. These factors are tied to the user's physical identity and cannot be stolen in the same way as passwords.
MFA Limitations and Bypass Techniques: While MFA significantly improves security, sophisticated attackers have developed techniques to bypass it, including MFA fatigue attacks (bombarding users with push notifications until they approve), adversary-in-the-middle phishing, SIM swapping, and OAuth token theft. Pangratis detects account takeover attempts even when MFA is enabled, using behavioral AI to identify suspicious activity post-authentication.