Glossary

MFA (Multi-Factor Authentication)

MFA requires users to verify identity with two or more factors and is one of the most common control checks in enterprise security questionnaires.

Definition

Multi-Factor Authentication (MFA) is an authentication method that requires a user to present two or more independent verification factors before access is granted. These factors typically combine something the user knows (password), something the user has (authenticator app, hardware token), and something the user is (biometric).

Context

MFA is a baseline control in modern vendor security reviews. Buyers routinely ask whether MFA is enforced for all users or only admins, whether SSO and MFA can be combined, which methods are supported (TOTP, WebAuthn, hardware keys, SMS), and whether MFA bypasses are logged and reviewed. Vendors that document mandatory MFA coverage and administrative enforcement respond more credibly to questionnaire requirements tied to account takeover prevention.

Why it matters

Multi-factor authentication requires users to present two or more distinct verification factors — typically something they know, something they have, and something they are — before gaining system access. In security questionnaires, MFA implementation details are among the most frequently assessed controls, appearing in SOC 2, ISO 27001, NIST 800-53, and virtually every industry-standard assessment framework. Evaluators examine whether MFA is enforced for all user roles, which authentication factors are supported, whether it covers both interactive and programmatic access, and how recovery flows handle factor loss.

Common pitfalls include deploying MFA only for administrative accounts while leaving standard users with password-only authentication, or relying exclusively on SMS-based one-time codes that are vulnerable to SIM-swapping and interception attacks. Organizations should assess whether their MFA implementation covers VPN access, cloud console logins, email systems, and critical SaaS applications rather than just the primary identity provider. Exception processes for MFA bypass should be documented, time-limited, require senior approval, and generate audit log entries for compliance review.

Industry trends are moving toward phishing-resistant MFA methods such as FIDO2 security keys and platform authenticators that use device-bound passkeys, eliminating shared secrets entirely. Regulatory bodies including CISA and the European Union Agency for Cybersecurity now explicitly recommend phishing-resistant factors over legacy TOTP or push notification methods. Adaptive MFA, which adjusts authentication requirements based on contextual signals like device posture, network location, and behavioral patterns, is becoming standard in enterprise deployments and is increasingly referenced in vendor security questionnaires.

Related terms

SSO (Single Sign-On)RBAC (Role-Based Access Control)Security QuestionnaireSOC 2

Learn more

Security PageSecurity Questionnaire Software

Automate your security questionnaire workflow

VeriRFP uses evidence-backed AI to draft security questionnaire responses with deterministic citations from your approved documentation.
Try VeriRFP freeQuestionnaire automationBack to glossary

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.