Glossary term
MFA
Also: Multi-Factor Authentication
Authentication combining at least two factors from knowledge (password), possession (hardware token, smartphone) and inherence (biometrics). Mandatory under NIS2 Art. 21 (j) and DORA Art. 9.
Weak MFA: SMS or email OTP, vulnerable to SIM swapping and phishing. Medium MFA: TOTP apps like Google Authenticator, better than SMS but phishable.
Strong MFA: phishing-resistant factors per NIST SP 800-63B AAL3, in practice FIDO2/WebAuthn with hardware keys (YubiKey, SoloKey, Titan) or Passkeys with platform attestation. Structurally protects against phishing, AiTM proxy attacks and replay.
2026 logic: privileged accounts need phishing-resistant MFA. Standard users at least TOTP. SMS MFA is increasingly rejected in regulated industries.
Related terms
Passkeys
Phishing-resistant authentication credentials per WebAuthn/FIDO2 that keep private keys on the devic…
FIDO2
Open authentication standard of FIDO Alliance and W3C, comprising WebAuthn (browser/platform interfa…
IAM (Identity and Access Management)
The stack of systems that governs who has access to which systems under which conditions. IAM covers…
Zero Trust
A security model built on the principle that no user, device or network location is trusted by defau…
MDR (Managed Detection and Response)
A service that provides outsourced 24/7 monitoring, detection and response on top of an EDR or XDR p…
AI Act Conformity Assessment
Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed …
AI Act Risk Categories
Four-tier classification under the EU AI Act: prohibited (Art. 5), high-risk (Annex I/III), limited …
Audit-ready decision
A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a thir…