MFA (Multi-Faktor-Authentifizierung)

Multi-factor authentication (MFA)—also known as two-factor authentication (2FA)—is the most effective single measure against the most common type of attack: compromised credentials. Microsoft estimates that MFA prevents 99.9% of all account compromise attacks.

The three factor categories

Category	Examples	Strength
Knowledge	Password, PIN, security question	Low (vulnerable to theft)
Possession	TOTP app, hardware token (YubiKey), SMS	Medium to high
Biometrics	Fingerprint, facial recognition	High (context-dependent)

True MFA always combines two different categories. Password + security question = two knowledge factors = not MFA.

Comparison of MFA Methods

Method	Security	Convenience	Phishing-resistant
SMS OTP	Low (SIM swap)	High	No
TOTP (authenticator app)	Medium	Medium	No
Push notification	Medium	High	No (MFA fatigue)
FIDO2 / Passkey	Very high	High	Yes
Hardware token (YubiKey)	Very high	Medium	Yes

MFA Fatigue: Attackers send massive numbers of push requests until an exhausted user accidentally confirms one. Countermeasure: Number matching (user must type in the displayed number) or FIDO2.

FIDO2 / Passkeys – the future

FIDO2 (Fast IDentity Online 2) is the current gold standard. Passkeys (the consumer version) use the device itself as an authentication factor:

• No secret password that can be stolen
• Phishing-resistant: Passkeys are domain-bound
• Apple, Google, and Microsoft support Passkeys natively

NIS2 and ISO 27001

Both regulations explicitly require MFA:

• NIS2 Art. 21: MFA or similar solutions as a mandatory measure for affected organizations
• ISO 27001:2022 A.8.5: Secure authentication as a control

The recommendation: MFA for all accounts with remote access and all privileged accounts. Minimum standard: TOTP. Ideal: FIDO2 for privileged accounts and remote access.