The practice of using more than one factor — like a password — to sign in to a site or application. Authenticators may include push notifications, codes, or biometric data like fingerprints or facial scans. If an attacker has already taken over a phone, however, phone-based MFAs are no longer useful in protecting data.