When you log in with just a username and password, passcode, or PIN, this is called single-factor authentication. This is the lowest level of secure access management an organization can deploy, and should only be used for accessing non-sensitive information, like a mobile game or shared corporate accounts that don’t have access to any private data.
The next step up in authentication is 2FA. This is when you use a username/password, passcode, or PIN, and then are requested to input a second security measure, like an SMS or token-based OTP or biometric. Using a second factor is a significant bump in security that should be used for any account that has even marginal access to sensitive data, such as corporate email, social media accounts, or even physical access to secure buildings.
Adding in a third, fourth, or even fifth authentication factor expands the security of any access management solution into the realm of multi-factor authentication (MFA). MFA offers scalable, tiered levels of security that can be deployed for controlling access to the most sensitive of data. Financial records, medical information, government databases, and the like should all deploy various levels of MFA, incorporating several factors, which can include: passwords, secret questions, OTPs, biometrics, location, user behavior, registered mobile devices, and more.