Multi-factor authentication requires a user to identify themselves using multiple authentication methods. These methods could be username/password and passwordless, where the user is sent a temporary access code via text or email.
Multi-factor authentication isn’t a method in itself, but rather a paradigm that requires multiple authentication methods before a system considers a user authenticated.
Two-factor authentication (2FA) is a version of multi-factor auth where two methods are required.
Security is the main reason why a system should implement multi-factor authentication. Using a single method like username/password can leave the user vulnerable if an attacker gains access to the email or password.
Using multi-factor authentication mitigates this risk as the attacker would not be able to use the password unless they could also crack the other authentication methods.
Implementing multi-factor authentication adds complexity to the system. Complexity adds technical debt and slows down future development.
The user experience of the application usually suffers. Multi-factor authentication often requires a user to receive a temporary code on either a physical device or email. Users have to leave the app and wait to receive a code.
When to use it
Systems with highly sensitive data or applications with high risks of being attacked should implement multi-factor authentication.
Applications with sensitive data could be financial systems, medical systems, or systems with access to personal information like addresses, criminal records, or social security numbers.
When not to use it
Unless a very high level of security is required, then multi-factor authentication might not be worth implementing.