Skip to content
Latchkey

What Is Multi-Factor Authentication? Layered Identity Proof

Multi-factor authentication (MFA) requires two or more independent kinds of evidence to prove an identity, so a stolen password alone is not enough.

Multi-factor authentication, or MFA, strengthens login by demanding more than one factor. A password is something you know; MFA adds something you have or something you are. Because the factors are independent, an attacker who steals one still cannot get in. For engineering teams, MFA on source hosts and cloud accounts is a baseline defense.

The factor types

  • Knowledge: a password or PIN.
  • Possession: a phone, authenticator app, or hardware security key.
  • Inherence: a fingerprint, face, or other biometric.

Why MFA works

Most attacks start with a stolen or phished password. Requiring a second, independent factor breaks that path: the attacker would also need your phone or hardware key. The factors must be genuinely independent for this to hold.

Stronger and weaker factors

Not all second factors are equal. SMS codes can be intercepted or SIM-swapped. Authenticator-app codes are better. Hardware security keys using FIDO2 resist phishing because they are bound to the real site. Where it matters, prefer the strongest factor available.

MFA and CI/CD

MFA protects the human accounts that control your pipelines: source host, cloud console, CI/CD platform, and identity provider. It is interactive, so it guards login, not the automated tokens pipelines use. Those rely on scoping and short lifetimes instead.

Where MFA does not reach

A pipeline running unattended cannot answer an MFA prompt. That is exactly why machine authentication uses scoped tokens and OIDC, not interactive MFA. Knowing this boundary keeps you from trying to bolt MFA onto automation where it does not fit.

Protecting the human side

Because compromise of a developer or admin account can poison pipelines, enforcing MFA (ideally phishing-resistant) on every account that can touch CI is one of the highest-leverage controls a team can apply.

Key takeaways

  • MFA requires two or more independent factors, so a stolen password is not enough.
  • Hardware security keys (FIDO2) are the strongest, phishing-resistant factor.
  • MFA guards human login; pipelines rely on scoped tokens, not interactive MFA.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →