How does MFA Work Exactly?

What are the differences between a weak and a strong authentication protocol? How can you set them up? Let us look into it.
A nacho, MIA’s mascot, is sitting in front of their laptop. Floating around them are various authentication elements, such as a fingerprint, a smartphone and a passwordA nacho, MIA’s mascot, is sitting in front of their laptop. Floating around them are various authentication elements, such as a fingerprint, a smartphone and a password
A nacho, MIA’s mascot, is sitting in front of their laptop. Floating around them are various authentication elements, such as a fingerprint, a smartphone and a password
Posté par
Cécile G.
Le
17 Mar
.
2026
Copier l’URL de l’article

As you are currently reading this, we can agree on the likely fact that you are interested to some extent in cybersecurity.

You thus might already be acquainted with the one authentication protocol deemed the strongest: MFA, multifactorial authentication.

It is said to be strong because it is easier to describe it that way rather than using its full name.

It is, so far, the steadiest widely used protocol. Foremost, it is useful to remind you that double authentication is not synonymous with multifactorial authentication.

It is only a possibility amongst other structures that can be used, as long as the use case calls for it, by a service provider.

Several Authentication Factors to Show One’s Credentials

Depending on the service provider, several methods of multifactorial authentication can be used.

They all rely on a handful of identification elements, whether they be textual information to be typed in a connection form, or a notification to validate to then access the platform.

Amongst all these elements, we can find any of the following:

1. The safety question: to be picked from 4 to 5 options by the user upon inscription, they have a free text field to craft a personal answer.

This is a difficult method to hack due to the fact you need both to figure out the question and the answer. It is convenient to the user as it requires personal yet trivial details to remember which makes them particularly hard to guess.

2. The code sent through text: you need to have your smartphone readily available to retrieve code and access whichever platform you are login in.

This method is hard to bypass without the linked device or having access to the user’s texts.

3. The temporary code: similar to the previous one, it gets generated whenever you attempt to log in and works for a limited time, ranging from 15 to 30 seconds, usually. It can be sent through email depending on the service and your login parameters.

The timeout aspect reinforces security. You do not only need to hack, you need to do it at a specific time and beat the clock.

4. The physical device: they have become more scarce nowadays due to smartphone usage. It can be a USB key, a numeric keypad or any other tangible device.

Smart devices can now replace standalone systems.

5. Biometric validation: usually meaning fingerprints.There is no need to elaborate on the difficulty of biometrical forgery.

(To be fair, retina scans are more widespread in Black Mirror’s universe than in ours, but they do belong in this category.)

Why Choose Two or Three Factors instead of One?

Quick answer is: because the credential pairing (login and password) is not sufficient to counter cyberattacks anymore.

Those have become sophisticated and imitate official messaging to a fault, leaving inattentive users vulnerable to credential theft.

To illustrate, here are a couple of techniques used to steal credentials:

  • phishing: through emails or sms, the idea is to ask the victim for their login information while pretending to be a safe, official service provider platform;
  • spear phishing: a type of phishing aimed at strategic user profiles within a company, such as administrators or high privileges profiles;
  • social engineering: a kind of psychological manipulation used by hackers to bring their victims into sharing their personal information;
  • brute force: an automated attempt of password deduction;
  • server hacking : exploiting a breach to gain access to part, or all, of passwords, depending on internal safety of systems;
  • credential stuffing: once credentials have been stolen they can be used by hackers on several systems if they are shared / identical across several tools.

MFA, a Universal and Whole Adoption?

Despite the obvious practicality of this protocol, all institutions do not use it.

Apart from the technical resources required, there is a debate about its user experience dimension.

Its rather lengthy connection process does not make for an easy day-to-day use.

Hopefully, improvements have been made: for instance, you can choose to use MFA as the first login protocol for a defined duration period with a timeout effect.



Regain full control over logins

Once the timeout has been reached, you need to start another session.

Close Cookie Popup
Cookie settings
By clicking "Accept all cookies", you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Accept all cookiesCookie settings
Close Cookie Preference Manager
Cookie settings
By clicking 'Accept all cookies', you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictement nécessaires (toujours actifs)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings
HomepageIntegrationsPrices
Solutions
Secure Access ManagementCost TrackingAlerts & Reminders
Use  cases
For ExecutivesFor IT teamsFor the CISO For FinancesFor HR
Resources
Get Started with MIA
MIA is Secure by Design
Shadow IT Scan
Glossary
Logo texte "L'As du SaaS" en blanc
Who are we?Product updates
Contact us
to find out more
©2024 MAY
Legal noticePrivacy policyCookies