MFA vs. 2FA vs. 2SV:
How to Choose the Right
Multi-Factor Authentication

Increasingly sophisticated cyber threats and attack strategies on password credentials make our favorite devices, network systems, applications and databases more vulnerable.

About half of all breaches result from compromised credentials, most thanks to phishing scams. And security awareness education is not enough to secure your organization. Users are human, and accidents happen. As cyber threats become more and more difficult to thwart, multiple security layers are key to protect access to systems. The best way to create security layers for system access is by using multi-factor authentication, two-factor authentication (2FA), or two-step verification (2SV).

What Are the Differences Between MFA and 2FA and 2SV?

While each of these authentication methods appear to be the same thing, they have distinct differences. Here is a breakdown of each:

  • Multi-Factor Authentication (MFA): MFA is a security enhancement that requires a user to submit two or more items of proof (factors) for system access. Authentication factors can include another piece of information like a password, something the user possesses such as a keycard, or a biometric like their fingerprint.
  • 2-Factor Authentication (2FA): This type of multi-factor authentication uses two distinct authentication factors. These have to be two different categories of authentication, such as knowledge and possession. We see 2FA frequently, for example, when a person logs in to an account with their username and password, then receives a push notification on their cell phone to approve the login.
  • 2-Step Verification (2SV): This type of multi-factor authentication requires two sequential verification steps using authentication factors. For example, Google uses 2SV. To log in, you enter your username and password, then enter an additional code.

It's important to note that both 2FA and 2SV are types of multi-factor authentication, which can also extend to three-factor authentication or three-step verification (or more). The primary difference comes down to the kind of authentication methods that are applied. If login is a two-step process, it's always going to be 2SV. If that two-step process uses different authentication factors, then it's a 2FA login.

Four Main Types of Authentication Methods

While there are many different solutions and ways to authenticate system access and verify a user's identity, usually in addition to a traditional username and password, each method falls into one of four categories, or factors. All four factors relate to the user: their knowledge, devices or additional tech, who/what they are and where they are located.


The most common way to authenticate system access is with personal knowledge unique to the user. This can be a piece of information or set of characters that the user has to submit to gain access. The classic example is, of course, a password and the username, but it can also be a personal identification number (PIN), or even both used sequentially, which is considered two-step verification.

You'll also sometimes see questions about the user, such as their birthplace or the first car they owned. Generally, these are not the best ways to verify identity. This information is all too easy to find on websites or social media profiles.


Another factor for system access can be something that the user has with them. This could include a device like a key card, hardware token, or cell phone. It also includes 2FA applications that they may have downloaded to their phone or computer, like Google Authenticator, Microsoft Authenticator, and LastPass Authenticator.

In practice, a possession factor doubles as a knowledge factor, because the user’s device or application requires an additional password they should know. For example, if a user logs in with their username and password, and 2FA is prompted through a one-time Google Authenticator password, then the user needs to "possess" the Google Authenticator app that holds the other password or PIN.

Hardware tokens such as YubiKey or Token2 work in a similar way to 2FA applications. In this case, however, the user inserts a key, which is linked to the device the person is using. Every time the user needs login and MFA, the token displays a new code.

SMS codes can also be sent to the user’s mobile device(s) to authenticate access. Keep in mind though, an SMS is not recommended as a robust MFA solution because a code sent in plain text (non-encrypted) to a phone number could easily be stolen or spoofed.


Most widely-used for on-premise locations, various biometrics such as fingerprints, eye scans, and face or voice recognition processes can confirm a user's identity. Some of these are now widespread in personal electronic devices, too. For example, iPhones let users set up face recognition or fingerprint scanning to access their phones.


The user’s physical location can also dictate system access. There are also scenarios where the user’s location doesn't necessarily decide whether or not they have permission to enter the application or device, but it determines which factor will be used for authentication. For example, if you are using a corporate network on-site, you may only need a username and password to log in. If you were off-site, it could prompt 2FA with an installed hardware token.

The Advantages of Multi-Factor Authentication

Because of how connected applications and devices are to an organization's network, implementing MFA is a best practice (if not a regulatory requirement), whether that means two or more steps of verification or two or more distinct authentication factors.

Below are some of the top ways MFA protects access
to your systems:

  • Protects Against Negligence: It can be tricky to remember passwords, especially if they are complex. Many users create passwords that are short and easy to remember, giving cybercriminals a clear route to stealing credentials through brute force attacks or harvesting techniques. MFA provides another layer of security if employee passwords are compromised.
  • Prevents Unauthorized Access: Since it requires an additional step or factor to gain access to your network system or software application, MFA helps keep criminals out. More often than not, cybercriminals don’t have the knowledge or possessions needed to satisfy the additional requirements, even if they have the primary credentials.
  • Allows Geographic Flexibility: Many MFA solutions – such as knowledge-based factors or possessions like a phone, a hardware token, or an authentication app – do not require users to be on-site to complete their login. So, MFA is manageable from any location.
  • Ensures Industry Compliance: MFA is one of the most frequent regulatory compliance requirements for customers and employees. These include PCI Data Security Standards, GDPR and other industry regulations.

How to Choose the Right Authentication Method?

Neither of these factors or methods is necessarily better than another; the optimal solution really depends on your specific situation. The key for organizations is to create a balance between security, productivity and budget.

For example, while the security benefits of a five-step verification system are great, it’s not practical if it means employees lose time every day just trying to log in. It’s also important to prepare your business for multi-factor authentication, no matter which method you use, to set up your MFA deployment for success.

On-Premise or Cloud-Hosted Authentication

When evaluating MFA provider options, it's important to consider your organization's infrastructure. Can you host the solution on-premise? Or do you need a cloud-based system?

If possible, on-premise MFA is a more secure method since MFA enforcement and monitoring can only be done from the local, secure network. Because an internet connection is not required for on-site access, this reduces risks from internet-based attacks.

On-premise solutions can still enforce MFA to secure remote access via a variety of connection types, like remote desktop protocol, virtual private network, virtual desktop, and internet information services (IIS).

  • When no such connection exists, MFA policies are still enforced through an agent on the remote machine that connects to the on-premise service via the internet. See more on this with UserLock Anywhere
  • An agent also allows a machine to be protected with MFA when offline - without an internet connection.

The Pros and Cons of Multi-Factor, Two-Step, or Two-Factor

Let’s first look at how to decide between 2SV and 2FA. First, 2FA is more secure because it requires two different factors, compared to 2SV, which usually requires two steps of the same factor (like two knowledge authentications). For that reason, many compliance requirements such as HIPAA, PCI DSS, and GDPR specifically require two factors of authentication and not just two steps.

On the other hand, 2SV is generally easier and faster for employees because it requires two items of information they already know. When organizations do not specifically need "two-factor" authentication for compliance purposes, they’ll likely find 2SV a more appealing security protocol.

When organizations need to protect extremely valuable systems holding sensitive information, they can implement MFA that requires three-step verification and 2FA. For example, if someone is at a data warehouse and wants to get into a specific subsection, that employee could be required to enter a password, unique PIN, then do an eye scan to gain access. In this case, it's three steps of verification but only two factors.

Leverage Granular Access Management Control

Regardless of what system is accessed or which method of authentication and verification you choose to use, granular access control offers organizations another security measure. Granularity means restricting or permitting specific system access and controlling details on when and how MFA is prompted.

Only in certain scenarios does it make sense to require users to constantly verify who they are. System administrators should manage their MFA requirements by setting user-specific standards on the type of MFA solution used, the frequency, application or system, and overall login circumstances.

Much of this can be better executed when MFA is part of a wider access management solution to enforce login restrictions, prompt MFA, and monitor all access logs. UserLock, for instance, also lets system administrators manage user access and verification requirements based on contextual factors such as device origin, time frame, type of session, and whether or not simultaneous sessions are happening at once.

Passwordless Authentication

While MFA offers a way to keep the convenience of passwords while bolstering security, the most secure option for some organizations may be to avoid passwords altogether. An alternative solution to MFA for system access management and identity verification is using non-password methods such as biometrics, mobile push notifications, one-time passwords, or email links to log on. In this case, there is no standard login, meaning that no username or password is entered to gain access.

Another form of passwordless authentication is single sign-on (SSO), which gives users access to all systems by just completing one login. UserLock, for example, enables users to access both the cloud applications and network resources of the organization with just their Active Directory credentials. The single sign-on can even combine with MFA requirements for additional security.

Going passwordless eliminates the need for employees to create and memorize complex passwords. It also thwarts phishing scams attempting to access a user’s credentials because there are none, and is overall a more convenient option for employees.

There are some specific advantages to using SSO with Active Directory accounts as well. For instance, ensuring a single set of credentials for all users, keeping Active Directory the central identity management system, and combining it with MFA for better security. There’s also the non-security benefit of improving employee productivity by limiting time spent logging into applications.

Maximize Security and Convenience With Easy-to-Use MFA

Balancing convenience of access for employees while preventing security threats is a challenge for many organizations. Simply requiring a single authentication with a traditional username and password is no longer enough to prevent threat actors from authorized access. Since passwords can be compromised, it’s critical to implement the extra security layer of multi-factor authentication, two-step verification or two-factor authentication.

To maximize security, it’s also best practice to combine authentication requirements with access control management and granularity (controlling who has permission, to what systems, how they must gain access, when they can, and where they can access from). Access control, MFA, and even single sign-on (for those that want to shift to passwordless) can all be managed from Active Directory using UserLock.

Contact us to learn more about securing your network and applications.

See for yourself how easily UserLock works.

Download a free trial Book a demo