As stated before, to prove your identity to an application, you must provide something you know, something you have, or something you are. Each of these identifiers are called a factor. Multi-factor Authentication (MFA) comes from the need to provide an extra layer of security to certain applications and prevent unauthorized access in case, for example, a password is guessed or stolen by an attacker.

Two-factor Authentication (2FA) in most web applications means that the user must provide the username and password (first factor) and a special code or One-Time Password (OTP), which is temporary and randomly generated by a device that the user has or is sent to them through SMS or email by the server. The user then submits the OTP back to the application. More sophisticated applications may implement the use of a smartcard or some form of biometrics, such as a fingerprint, in addition to the password. As this requires the user to have extra hardware or a specialized device, these types of applications are much less common.

Most banking applications implement a form of MFA, and recently, public email services and social media have started to promote and enforce the use of 2FA among their users.