What is MFA, and why is it more secure than a password alone?
Short answer
MFA requires two or more authentication factors from different categories — something you know (password), something you have (phone/token), something you are (biometric). It helps because an attacker who steals one factor, like a password, still can't log in without the others. Phishing-resistant MFA like FIDO2 is strongest.
MFA is one of the highest-impact, lowest-cost controls in security, so interviewers expect you to explain not just what it is but why the factor categories matter.
The three factor categories
Authentication factors fall into distinct categories, and true MFA combines at least two different ones:
- Something you know — a password or PIN.
- Something you have — a phone running an authenticator app, a hardware security key, a smart card.
- Something you are — a biometric like a fingerprint or face.
Two passwords are not MFA, because they're both the same category. The strength comes from requiring factors an attacker would have to compromise through entirely different means.
Why it helps so much
Most account takeovers start with a stolen or guessed password — from phishing, reuse, or a breach dump. With MFA, the password alone is useless: the attacker also needs the user's physical device or biometric. This single control blocks the overwhelming majority of automated credential-stuffing and bulk phishing attacks.
Not all MFA is equal
- SMS codes are better than nothing but vulnerable to SIM-swapping and interception.
- Authenticator apps (TOTP) are stronger but can still be phished in real time.
- Push approvals are convenient but enable MFA fatigue / push bombing, where attackers spam prompts hoping the user taps "approve." Number matching helps.
- FIDO2 / passkeys / hardware keys are phishing-resistant because the credential is cryptographically bound to the legitimate site, so a fake page can't relay it.
Why this matters
Interviewers want the category insight (two different factors), the reason it works (a stolen password is no longer enough), and awareness that MFA strength varies. Recommending phishing-resistant MFA where it counts shows you're current, not just repeating "turn on 2FA."
Likely follow-ups
- Why is an SMS code weaker than an authenticator app or a hardware key?
- What is MFA fatigue / push bombing and how do you mitigate it?
- What makes FIDO2 / passkeys phishing-resistant?