What is multi-factor authentication (MFA)?

Multi-factor authentication, also referred to as “multi-step authentication” by some experts, is an access management component that requires users to provide two or more authentication factors to log in and access an account. Essentially, users must provide extra proof of identity besides their username and password. Think of MFA as an extra lock on your door.

Unfortunately, misconceptions about MFA exist: they’re especially prevalent in the business world and often deter users from using it and taking advantage of its security. Organizations tend to think that mandating multi-factor authentication in the IT infrastructure for the entire company is cumbersome and could be counterproductive.

The reality of the matter is actually the opposite: with today’s security technologies, setting up MFA company-wide is quick and causes practically no interruptions. Once it’s done, the benefits that MFA brings to the table far outweigh any possible inconveniences that a company might face during the implementation.

How does MFA work?

Multi-factor authentication employs various technologies, like one-time passwords, tokens, and biometrics, to authenticate users when they try to access their accounts. First, the user enters their username or email and their password. But besides these credentials, and with MFA switched on, the user is also asked to authenticate their identity using their selected secondary verification method. Once the two factors are authenticated, the user is granted access to their account.

One of the most popular MFA factors is known as one-time passwords (OTPs). They’re security codes that can be used only once to authenticate a login attempt. A one-time password is usually 4–8 digits long and can be valid for anywhere between 15 seconds and a few hours. When a user attempts to log in, a one-time password is sent via text message or email for authentication. OTPs can also be generated using an authentication app, like NordPass’ built-in Authenticator.

As you set up multi-factor authentication, your one-time password will be generated in one of two ways: either as a time-based one-time password (TOTP) or a hash-based one-time password (HOTP). Their core difference is how frequently a new code is generated. An authentication app refreshes a TOTP at a set interval (for example, every 30 seconds), while a HOTP only refreshes upon a new login attempt.

One-time passwords rely on two factors—a seed and a moving factor. The seed is a static secret key that stays on the server side, while the moving factor is affected by the counter, which ensures the periodical generation of new passwords. The process of generating a one-time password is randomized, and the number of OTPs that can be generated is practically limitless.

The process of multi-factor authentication takes 3 steps:

• Registration. You create an account on a website or app and, in addition to your login credentials, select a preferred method of additional authentication. You may use your phone number to receive authentication via text messages, get emails with the code, switch on biometrics, or use an authentication app. The exact method may vary depending on the platform’s permissions.

• Authentication. As you log in to your account, you enter your login credentials first and are then prompted to enter your multi-factor authentication code. Use your selected means of authentication to access and input the code. Some apps allow you to autofill the code so that you don’t lose it before it resets.

• Access. If the one-time code you entered matches the server request, your login attempt is authenticated and you can access your account. If you log out, you must start the process over.

Types of MFA factors

Varying from platform to platform, a number of different factors are used to authenticate login attempts. The most common examples include the following.

What you know (knowledge factor)

The knowledge factor typically consists of a password, PIN, passphrase, or security questions whose answers are known only to the rightful account holder. For the knowledge factor to work correctly, the user must enter the correct information requested by the online application.

What you have (possession factor)

Before smartphones existed as MFA devices, people carried tokens to generate an OTP that would be entered as an authentication factor. These days, smartphones are the primary physical tools for generating OTPs, usually via authenticator apps. However, physical security keys are also available as a possession factor, often considered one of the most secure MFA options.

What you are (inherence factor)

Biometric data, such as fingerprints, facial features, retina scans, voice recognition, or other biometric information, can also be used for multi-factor authentication. Biometric authentication is gaining more traction by the day, as this method is frictionless when compared to other types of authentication.

Where you are (location factor)

Last but not least, location-based authentication checks the user’s IP address and geolocation. Users can whitelist certain geolocations and block others. If the login attempt comes from an unrecognized location, MFA blocks access to the account and vice versa.

Why is multi-factor authentication important?

As cybercrime continues to increase in frequency and sophistication, individuals and companies alike look for effective and simple ways to ensure the security of their online accounts. Passwords are no longer enough. In fact, considering how frequently weak passwords are the culprit of breaches and how susceptible to attacks the most common passwords in the world are, additional security measures are not just a recommendation but a necessity. Multi-factor authentication provides that extra layer of security that can make the difference between a secure account and a hacked one.

When bad actors steal passwords and usernames, they can easily gain unauthorized access to accounts and network systems. But with MFA security in place—whether it’s OTP, biometric authentication, or other means—having correct login credentials alone wouldn’t be enough to get into the account. All of that complicates things for attackers, as they would need access to smartphones or other authentication devices related to the user to execute their scheme successfully.

Given that around 68% of data breaches are related to human error in one way or another, adding MFA to your accounts can significantly improve your security. According to the 2024 Elastic Global Threat Report, brute-force techniques grew by 12%. But that’s not all. Security experts and researchers continue to see an increase in phishing attacks, which are usually at the top of the hacking funnel. As cybercrime continues to rise in prominence, MFA is quickly becoming a critical part of everyone’s security, whether it’s an individual or a large organization.

What’s the difference between MFA and two-factor authentication?

As the name suggests, the difference between two-factor authentication (2FA) and multi-factor authentication lies in the number of authentication factors required to authenticate a given user. Two-factor authentication requires exactly two authentication factors, whereas MFA requires two or more factors to work as intended. Essentially, you can think of multi-factor authentication as an umbrella term that includes 2FA as one of the options.

Multi-factor authentication examples

As already mentioned, multi-factor authentication involves two or more authentication factors that identify a given user. These factors include static and one-time passwords, PINs, passphrases, tokens, and biometrics like fingerprint recognition and face ID. By combining a range of these factors, you can build authentication sequences with different levels of security—but any combination can be stronger than using a single factor.

Usually, your login credentials—your username, account number, or email address and your password—are the first step in the authentication process. Once you provide this information, your login attempt is validated. However, if your login details are breached, anyone can use them to log in to the account and pretend to be you. There is no way of guaranteeing the person logging in is actually you, unless the platform checks to see if the IP matches your usual one—but this would fall under location authentication.

To truly prove it’s you logging in, you need to get the second factor in place. This can be a single-use code sent to you by text, the one-time password generated by your authentication app, or a pop-up on your phone requesting you to verify your fingerprint. For improved accessibility, you can also receive an automated call that uses text-to-speech to list the numbers of your verification code.

From here, you can take it up a notch and add another authentication method. For example, you can combine the one-time password with a biometric proof of identity. However, the principle of “less is more” still stands true—introducing too many authentication factors may negatively affect the overall user experience, making the process too burdensome. Imagine using a token as your second layer and biometrics as your third. If you forget or lose either of the two, you’re barred from accessing your account.

MFA benefits

We’re now familiar with the technical side of MFA and how it works to support data protection. Let’s take a minute to see the practical benefits of using multi-factor authentication to protect your personal and work-related credentials.

The number one advantage that MFA brings to the table is, naturally, enhanced security. Multi-factor authentication works hand in hand with strong passwords to ensure more robust account and app security. Switching on MFA makes it harder for bad actors to access accounts or system networks without accessing the authentication device.

While increased security is one of the biggest benefits of multi-factor authentication, it’s far from the only one. MFA can be crucial for regulatory compliance. Many cybersecurity policy guidelines list it as a necessity to meet appropriate data protection standards. For instance, the CIS Password Policy Guide has different standards for accounts that use a password only and those that have MFA mandated. Compliance adherence allows businesses to build stronger trust with customers as it shows they take precautions against cyber threats.

Of course, it cannot be understated that multi-factor authentication is a user-friendly and convenient solution. It may seem contrary at first, as it does require extra steps than just logging in. However, with features like autofill for one-time passwords or biometric authentication, the MFA process can take as little as a tap on the screen. Furthermore, passkeys are a type of multi-factor authentication that reduces login time by eliminating the password step altogether while maintaining a high level of security. They combine biometric verification with cryptographic keys, ensuring no one else can access your accounts without your authentication.

In the long term, setting up multi-factor authentication is a cost-effective strategy for businesses. With the average breach costing small and medium-sized businesses as much as $3.31 million, setting up company-wide MFA policies can help protect your organization’s reputation and stop the threats before they get to your doorstep. Thanks to its range, MFA can help future-proof businesses from emerging threats. For instance, users can opt for biometric authentication over one-time passwords and vice versa.

What types of multi-factor authentication does NordPass Business support?

Multi-factor authentication is tightly knit with password protection and is essential for businesses and individuals alike. So, it’s unsurprising that password managers aim to improve not just your credential storage but the way you handle MFA as well.

NordPass is a secure and intuitive password manager that’s purpose-built to facilitate smooth and secure management of passwords, passkeys, credit card details, and other sensitive information. It offers support for 3 types of multi-factor authentication:

• An authenticator app

• A security key

• Backup codes

NordPass supports major authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. However, it makes things easy for you by letting you generate and store your one-time passwords directly in your vault. NordPass Authenticator for Business allows you to set up two-factor codes alongside your passwords, eliminating the need for third-party authentication apps. You can also stay flexible, as NordPass will autofill your one-time passwords for you, whether you’re on your mobile device or desktop browser.

NordPass comes equipped with other security features that help you optimize your business credential security. With features like Password Health and Data Breach Scanner, you can ensure that all credentials used in your organization are strong and secure. Furthermore, you can set up a centralized Password Policy to enforce compliance with high security standards. Try NordPass today and see for yourself how it can help fortify your corporate security.

Meet Anywr

Established in 2012, Anywr is an HR services provider specializing in global mobility and staffing solutions. Its mission is to support organizations in addressing their human resource challenges with tailored, expert-driven solutions.

 They deliver comprehensive services to assist with immigration, relocation, international mobility policies, and employer of record (EOR) solutions. Additionally, Anywr offers other services, including direct recruitment, executive search, and consulting, focusing on IT, life sciences, and recruitment process outsourcing industries. Anywr combines operational excellence with a deep commitment to customer proximity, ensuring its services are responsive, efficient, and aligned with its clients’ needs.

The company operates across 12 countries and 4 continents, with employees based in France, Spain, Belgium, Luxembourg, the Netherlands, Sweden, India, Vietnam, China, Morocco, Ivory Coast, and Canada.

The challenge of staying compliant

In a nutshell, compliance means that an organization adheres to applicable laws and regulations. This includes country-specific laws, requirements from regulatory authorities, and internal company rules.

Companies employ various tools that help facilitate compliance. One of them is a password manager, as most regulatory compliance standards require organizations to implement security measures to limit the possibility of unauthorized access. For example, GDPR, PCI DSS, GLBA, and CIS Controls have outlined guidelines for ensuring the security of personal data processing and storage.

For companies like Anywr, cybersecurity is critical as they handle a lot of personal documentation, such as for their clients’ immigration processes. That’s why they must ensure that documents like these are secured, processed, and stored following the GDPR requirements. Additionally, they have to overview multiple country-specific security regulations.

So, they started looking for a trusted password manager that would allow their employees to securely store and generate strong passwords and keep their company accounts safe.

Streamlining compliance with NordPass

NordPass’ end-to-end encryption and zero-knowledge architecture ensure the finest privacy and security standards for businesses. It offers a secure way to store and access passwords and other sensitive information in line with regulatory requirements.

To tick more boxes for the Anywr password manager needs, with the NordPass Password Generator, their employees can generate unique and strong passwords that are then safely stored in the vault that’s encrypted with the XChaCha20 encryption algorithm. The passwords are generated according to a company-wide password policy. These rules are defined with the Password Policy feature and set standards for password complexity: the use of upper- and lower-case letters, special symbols, numbers, and the minimum character limit.

So, by implementing NordPass’ company-wide password policy, Anywr has ensured a consistent and secure password standard across its global offices, which is critical for meeting regulatory compliance requirements such as GDPR.

Additionally, Anywr teams can securely share credentials if needed. They also use Shared Folders, a feature allowing users to share multiple items simultaneously. These folders are dedicated to each service and country that Anywr is located in, and hold specific IT teams’ access to that country. This ensures that different teams can share them seamlessly when needed, making cross-country and cross-team collaboration a breeze without compromising security.

Aiming for the highest security

According to Florian Laskowski, a Head of IT Operations and PMO at Anywr, the company takes cybersecurity seriously and believes it’s a continuous improvement process.

During the onboarding, Florian’s team ensures that the new employees are familiar with the security systems and explains how each application works. Additionally, the company organizes concurrent, in-depth cybersecurity training for its employees. In these trainings, they emphasize the necessity of using a password manager, highlighting that it’s not enough to just remember passwords or autosave them in the browser.

To make their employees’ lives even easier (and safer), the IT team directly implements security solutions such as NordPass directly into their chosen browsers via the company portal so they can instantly start using them.

Anywr also employs User and Group Provisioning via Microsoft Entra ID that seamlessly integrates with NordPass to ensure everything is in sync across multiple systems and applications.

Effortless cybersecurity

Florian Laskowski says that NordPass has made password management easier and safer for the company’s employees. According to him, NordPass’ Admin Panel is equally intuitive. For example, when the team needs to offboard an employee, the Admin can easily transfer the data to another employee so that important accesses don’t get lost.

This ease of use, coupled with top-tier security and streamlined compliance via features like Password Generator, Password Policy, and Shared Folders, has improved Anywr’s cybersecurity posture and made it a tool that employees actually use. 

So, if your company is facing similar challenges while ensuring cybersecurity and compliance posture, NordPass can help you improve security and help to meet regulatory requirements. Contact our experts today to see what NordPass can offer for your business. 

2025 is here—what should we expect?

As the new year kicks off, it’s only natural to start thinking about what’s ahead and make predictions. And so, we reached out to a few top experts on the NordPass team to find out what they think is coming in cybersecurity in 2025. The answers we got were not only varied and engaging but also unexpected and, at times, controversial. Here’s what they had to say:

Prediction #1—Jonas Karklys, CEO of NordPass

“Cybersecurity tools like password managers will help people reduce digital anxiety.”

“With AI adoption booming, fake news spreading like wildfire, and cyber threats becoming more sophisticated by the day, it’s no surprise that people feel overwhelmed and vulnerable online. The good news? Cybersecurity tools, like NordPass, are already providing significant support, making it much easier to manage accounts, protect sensitive data, and stay in control of who has access to their information.

As these solutions continue to evolve to tackle the latest challenges head-on, like AI-powered phishing or 5G network vulnerabilities, they’ll empower people to face the digital world with more confidence and truly take charge of their online lives. The digital world should be a place where everyone can be themselves and realize their potential—not a place where they’re constantly worried about what’s around every corner. Let’s make that happen.”

Prediction #2—Marvin Petzolt, Lead Security Architect at NordPass

“AI will make scams much more realistic.”

“In recent years, chatbots have become more and more lifelike, and now, the new models are even adding emotions to their responses. Because of this, I predict that, in 2025, we’ll see a rise in AI-powered phishing and scam attacks. AI makes it incredibly easy to pull information from social media that criminals can use to create super convincing scams on a much larger scale.

Picture this: you get a phone call, and the voice on the other end sounds just like someone you know—maybe a relative or an old friend. They say they urgently need help: emergency funds, rent money, or money for medical bills. These kinds of scams will start happening more often, and without the right security measures, some people could easily be fooled on a level we’ve never seen before.

That’s why it’s going to be more important than ever to be cautious about what we share online—keeping it private and to a minimum.”

Prediction #3—Karolis Arbaciauskas, Head of Product & Business Development at NordPass

“Passwords will endure and grow in volume.”

“While passwordless authentication methods, like passkeys, are starting to gain momentum, it’ll take some time for them to catch on across consumer and shadow IT sectors. So, my prediction for 2025 is that passwords will still play a major role in authentication.

Before the COVID-19 pandemic, most people had around 70 passwords. But with remote work becoming the norm and more people using collaboration and streaming services, that number went up to about 170 by 2024. Looking ahead to 2025, with more AI-driven tools requiring authentication, we’re likely to hit an average of 190 passwords per user. Unfortunately, it also means that weak, reused, or stolen passwords will still make up around 70–80% of cyberattacks—but even that could rise in 2025. The fact remains that this growing number of passwords highlights the need for better password management for all of us.”

Prediction #4—Jolanta Balciene, Head of Product Marketing at NordPass

“Cybersecurity will be seen even more as a business differentiator.”

“No matter which cybersecurity market report you look at—whether it’s from Gartner, IBM, or McKinsey—you’ll see that this sector is growing at a very high speed. Due to the increasing number of cyber threats, more companies are now investing in cybersecurity products and services to protect their IT infrastructures and their customers’ data. And so, I believe that in 2025, cybersecurity will stand out even more as a key business asset.

What I mean by that is that organizations all around the world will not only invest more in cybersecurity tools to defend themselves against threats like AI-powered phishing, ransomware, and malware, but they will also position cybersecurity itself as a key value proposition. As a result, customers will more actively seek out companies that have known certifications and cybersecurity measures in place—simply to make sure they are interacting with brands that prioritize their security.”

Prediction #5—Ieva Soblickaite, CPO at NordPass

“Political tensions may impact how cybersecurity is managed.”

“The relationship between cybersecurity and the global political climate has definitely gotten more complicated over the last few years. Many governments are struggling to match the pace of technological growth, often falling behind when it comes to implementing laws that protect digital infrastructure—which can leave critical systems exposed.

At the same time, the rise of controversial political powers is raising concerns about things like digital surveillance, censorship, and information manipulation. There’s a fear they might try to control internet access, limit free speech, and use cyber tools to go after their opposition.

On top of that, rising geopolitical tensions and military conflicts are making things worse, with some governments using cyberattacks as part of their military strategy. As a result, we’re now seeing more sophisticated attacks aimed at critical infrastructures and democratic organizations, which shows that cybersecurity isn’t just a technical challenge anymore, but a major issue in global diplomacy.

So, in 2025, I’m afraid we’ll likely see these problems grow. We’ll face more risks to critical systems, more manipulation of information, and more cyberattacks targeting democratic institutions. And while we do have some data privacy regulations in place right now, those could change at any time. Therefore, it’s in each of us to take steps to protect our data and minimize the risk of it being used against us.”

Prediction #6—Ignas Valancius, Head of Engineering at NordPass

“The time to crack passwords will be even shorter.”

“I’m sure AI has come up in a lot of predictions, and mine won’t be any different, so here goes: in 2025, the time it takes to guess, social engineer, or brute force passwords is going to drop dramatically, due to AI tools in the hands of cybercriminals.

Based on our own “Top 200 Most Common Passwords” research, we know that simple passwords like “123456” or “qwerty” can be cracked in under a second. The more complex the password, the longer it takes, but with the increasing computing power behind AI, hackers will be able to try many more combinations in less time. So even more complex passwords will be cracked faster. I’m not saying that super long, random 18-character passwords are at immediate risk, but shorter ones? They could be in danger.

And let’s not forget that the more people use AI, the more it learns about them. This is to say that many people already share sensitive data with “free” AI tools to get things done, but here’s the catch—nothing’s really “free.” That data gets used for training, tracking, and, even worse, creating detailed profiles for more targeted attacks. So, as we move forward, it’s crucial to keep our passwords long and strong, and tread carefully as we interact with AI tools.”

Prediction #7—Jonas Karklys, CEO of NordPass

“Passkeys will get more recognition.”

“In 2024, we saw passkeys get massive support from major players like Google, Amazon, PayPal, and Facebook, who backed them as the next step beyond traditional passwords. Looking at the adoption rate, I believe that in 2025, even more companies will jump on the passwordless bandwagon, making it easier for their users to adopt passkeys across their online accounts.

The reasons are simple: passkeys offer better security, helping to prevent many common incidents, and they’re much easier to use than typing out long, complex passwords. Today, it’s all about security and convenience, and if there’s a solution that provides both, it’s a winner. One thing’s for certain—NordPass will be there not only to continue supporting passkeys but also to help other organizations adopt passwordless technology through our services like Authopia.”

Summary

The NordPass team’s predictions for 2025 highlight both the challenges and opportunities of cybersecurity, showing just how crucial it will be for both individuals and businesses. While we’d all love to see the threats disappear, it’s certain they’ll only become more complex. That means it’s up to us to step up our game and protect our digital valuables.

If you’re looking for a way to do that, we encourage you to try NordPass and see how it can level up your cybersecurity and overall online experience. With the free 14-day trial, you can get a good sense of how it’ll keep your data safe in 2025 and beyond. The choice is yours!