How does multi-factor authentication actually work behind the scenes?

Multi-factor authentication, or MFA, is a way of proving who you are using more than just a password. People often use the term interchangeably with two-factor authentication, or 2FA, since both involve adding a second step to logging in. The goal is to combine something you know (like a password) with something you have (like your phone) or something you are (like a fingerprint).

Behind the scenes, one of the most common methods uses time-based codes. When you use an app like Google Authenticator, your phone and the server both have a shared secret. They use that secret and the current time to generate a short code that changes every 30 seconds. When you enter the code, the server checks if it matches what it expects. If it does, you’re allowed in.

There are other types too, like push notifications, text messages, or physical keys. The reason this matters is because MFA is one of the best tools we have right now to protect accounts. Even if someone gets your password, that second layer can stop them cold. It's simple, but powerful.

Multi-factor authentication (MFA) typically involves confirming a dynamically changing 2nd factor code (a six digit code) after confirming the 1st factor (usually a password) which can confirm an identity.

This one-time text code (typically six digits) can be sent by the MFA system to a listed personal smartphone (via SMS) to confirm an identity.

This 2nd factor code can also be sent to a listed email which can be entered back to confirm the identity.

Another way the 2nd factor can also be confirmed by another pre-determined method such as via an authenticator app installed in a cellphone (such as from Google or Microsoft) whose code rotates (expires and is regenerated) every 60 seconds per a pre-determined logic which is understood and confirmed by the MFA system as a shared secret. Usage of biological confirmation (such as fingerprint scans or retina-scans) can also be used (typically via touch sensors and readers in smartphones).

Less commonly, this 2nd factor MFA code used to be also gained from a hardware token (provided by vendors such as RSA) whose digital display changed the code every sixty seconds. Such hardware tokens had long battery lives (typically 3 to 5 years - sometimes even longer). Nowadays usage of these hardware tokens have largely been supplanted by cellphone-installed apps.

Also less commonly - a 3rd factor for MFA can also be used (a pre-determined static pincode - typically four digits), which is entered by the user seeking entry to the system after the 2nd factor. Usage of a 3rd factor pincode is far less common nowadays, though they are used sometimes in critical defense installations or for entry in systems where HIPAA Medical Healthcare information is stored.