[[YubiKey]] is a second factor. [[Passkeys]] too. Watch out for MFA prompt bombing attacks, like in the [Uber breach](https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/) [in 2022](https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html). To avoid real-time phishing, [[Webauthn]] is much better. # Wikipedia > [!INFO] [Multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor%20authentication) > **Multi-factor authentication** (MFA; encompassing authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). > > MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorised third party that may have been able to discover, for example, a single password. > > A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.