Cybersecurity, in the Plural

Understanding MFA

Multi-factor authentication (MFA) is based on a simple principle. To access an account or service, the user must prove their identity using at least two of the following three factors: 

• something they know : password, PIN,
• something they have : smartphone, physical token,
• something they are : fingerprint, facial recognition, iris scan

For example, entering a password and then confirming access via a code received by SMS is a form of MFA. This approach drastically reduces the risk associated with stolen passwords. 

Simple and obvious? While the concept of MFA dates back to the 1980s, it struggled to gain traction in the 1990s even though it was already being used in some companies and sensitive sectors. 

The illusion of security

The first obstacles to the adoption of MFA were human. Users instinctively rejected what they saw as an unnecessary hassle. Why pull out a physical token (those devices that generate one-time codes) or wait for a text message when a single password seemed to do the job?

Businesses, too, were reluctant: the cost of deployment, complexity of integration, and lack of interoperable standards all played a role. Add to that the early technology, no smartphones in sight, which felt clunky, confusing, or even anxiety-inducing. 

A multifactor success

It wasn’t until the 2010s that several factors aligned to trigger a turning point. 

First, the wave of high-profile cyberattacks and massive data breaches (Yahoo, LinkedIn, Sony, etc.) changed public perception of risk: passwords alone were no longer enough.

Next, the widespread use of smartphones made daily MFA use much easier: code-generating apps, push notifications, and biometric authentication became available to everyone. 

Finally, the rise of smoother, native solutions from Google, Microsoft, or Auth0 greatly improved the user experience, while interoperable standards such as WebAuthn and FIDO2 enabled consistent, global adoption.

Regulations also played a key role: frameworks such as the GDPR (General Data Protection Regulation) in Europe and PSD2 (the EU’s Second Payment Services Directive) in the banking sector required strong authentication in certain situations, thus accelerating MFA adoption across many online services. 

Finding the right balance

What truly allowed MFA to take hold was its alignment of security, ease of use, and accessibility. Innovation is never just about technology: to become a part of daily life, it has to fit human behavior.

The pioneers of MFA understood this. By rethinking the user experience and weaving security into everyday actions, they turned what was once seen as a burden into a natural reflex. Today, MFA is no longer optional, it’s the norm. 

Before becoming a standard, multi-factor authentication failed. Security had to adapt to people, not the other way around