Front Page: NCSC-FI
Front Page: NCSC-FI

Multi-factor authentication means that your identity is confirmed using two or more authentication methods, or factors. Using multi-factor authentication can prevent almost all account hijacking attempts. With multi-factor authentication, even if a criminal were to get a hold of your username and password, they cannot log in to your account without the additional authentication factor. Services that store personal or payment data should always be protected with multi-factor authentication.


Multi-factor authentication (MFA) means that the user’s identity is confirmed using several different authentication methods. The most common form of multi-factor authentication is two-factor authentication (2FA).

How does multi-factor authentication work?

When logging in to online services, the user is authenticated. This means that the user proves to the service that they are the person who they claim to be. Traditionally, this is accomplished with a username and password. Unfortunately, using only a username and password is not a very good authentication method. Guessing usernames is easy because they are often simply the email addresses of users. Furthermore, users frequently use easy-to-remember passwords and even re-use the same passwords on multiple services. “Recycling” passwords like this is not recommended, because if the password leaks from one service, criminals can also try to log into other services using the same username and password.

Because of these issues, many services offer the option of enabling multi-factor authentication. In most services, multi-factor authentication is an optional feature, meaning that it is not enabled by default. The feature may be offered under names like “Two-Step Verification” or “Multi-factor Authentication.”

Using multi-factor authentication does not require you to remember any additional codes or passwords. Instead, the additional authentication factor is usually a one-time number sequence that is sent to you by SMS or email, for example, or that you check using an authenticator application, depending on your preference.

Multi-factor authentication is based on three principles:

  1. Something that you know (such as a password)
  2. Something that you own (using your mobile phone to receive a one-time code, such as Mobile ID, for example)
  3. Something that you are (such as a fingerprint or other distinguishing feature)

Two out of these three factors must be used to establish the user’s identity with sufficient certainty.

Choosing the authentication factor

Many services allow you to choose between different authentication factors. Some services also allow you to enable multiple methods, such as SMS and an authenticator application. Enabling multiple authentication methods can also serve as a backup measure in case your phone stops working or goes missing. Many services provide you with a list of single-use number codes when enabling multi-factor authentication, which you should store securely in a password manager, for example. They allow you to bypass multi-factor authentication in the event that you are prevented from accessing the primary authentication method.

A multi-factor authentication scheme based on at least two authentication factors can include:

  • a password
  • a fingerprint
  • a confirmation message received via email or SMS
  • an authenticator device (e.g. a code calculator used by banks) or security key (so-called token)
  • a changing PIN
  • recovery codes
  • an authenticator application

How the different authentication factors work

This section provides brief explanations of how the various authentication factors work. Some authentication factors may seem difficult or cumbersome to use at first, but if you keep at it, you will get used to multi-factor authentication in no time!

Where should multi-factor authentication be used?

Rather than the above question, you should ask yourself why you would not enable multi-factor authentication on all the services that offer the option. Enabling multi-factor authentication significantly hinders criminals’ chances of utilising phishing. With multi-factor authentication enabled, even if criminals were to find out your password to a given service, they cannot log in if they do not have access to the other required authentication factor.

Services that store personal or payment data should always be protected with multi-factor authentication. Be sure to also secure company accounts by enabling multi-factor authentication.

How do I enable multi-factor authentication?

Services provide their own instructions for enabling multi-factor authentication on their websites. As such, it is impossible to provide comprehensive instructions for this. However, we have compiled a list of links to instructions on how to enable multi-factor authentication on some of the most popular social media services:

Transferring authentication to another device

It should be noted that some authenticator applications make it very difficult or even impossible to back up their codes. This means that if your phone goes missing, stops working or is reset, this data is lost for good. This can also make it difficult to transfer your chosen authenticator application to a new device. Because of this, you should always back up the data, if possible, use two different authentication methods or save the number sequences generated by the authenticator application when enabling multi-factor authentication.

The transfer to another device can be carried out in multiple ways. The methods used include:

  • QR codes
  • Time-based one-time passwords (TOTP)
  • Saving OAuth links
  • Using a paid service with cloud storage
  • Using other cloud services

There are also significant differences between authenticator applications in terms of how easy it is to back up their data. We recommend careful and thorough consideration of the available backup or transfer options before choosing an application.