Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: The 3 factors are typically: knowledge (what you know), possession (what you have, like a phone or access to an email account), and biometric (who you are with biometric characteristics like a fingerprint, palmprint, iris, retina etc.)
The usage of multi-factor authentication (MFA) by your application gives an extra level of security because it helps prevent brute force attacks, for example ‘credential stuffing’, as the attacker will not be able to complete the MFA step in a timely, automated way. In addition to a password, MFA enables the use of a mobile device, text message or email or a biometric (like a fingerprint).
Two-factor authentication is a type, or subset, of multi-factor authentication using just two factors, like what you know (password) and what you possess- e.g. passcode received via SMS on your mobile.
See the NIST definition of MFA
And Google’s opinion is: “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.
