What is Multi-Factor Authentication?

The three standard authentication factors are: knowledge (passwords, PINs), possession (phones, hardware tokens, smart cards), and inherence (fingerprints, facial recognition). MFA requires credentials from at least two of these categories, so compromising a single factor is insufficient for an attacker to gain access. A stolen password is useless without the hardware token; a stolen phone is useless without the PIN.

The most common MFA implementations pair a password with a time-based one-time password (TOTP) generated by an authenticator app, an SMS code, or a push notification to a mobile device. Stronger implementations use hardware security keys (FIDO2/WebAuthn), which are resistant to phishing because they cryptographically bind to the specific domain being authenticated. SMS-based codes, while better than passwords alone, are vulnerable to SIM swapping attacks.

MFA is one of the single most effective security controls an organization can deploy. Industry data consistently shows that MFA blocks over 99% of automated credential attacks. Despite this, adoption remains uneven — many breaches trace back to accounts protected by passwords alone, particularly service accounts, legacy systems, and personal accounts reused across services.

How Vaulted uses Multi-Factor Authentication

Vaulted does not use accounts or login-based authentication, so MFA does not apply directly to the service. However, Vaulted's optional passphrase protection provides an analogous second factor for secret access. The link itself serves as "something you have" (possession of the URL), and the passphrase acts as "something you know." Together, they ensure that intercepting the link alone is not sufficient to access the secret — the attacker would also need the passphrase, which should be communicated through a separate channel.