What is Multi-Factor Authentication (MFA)?

Modified on Wed, 27 Mar at 11:58 AM


DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


Multi-factor authentication (MFA), or two-factor authentication (2FA), is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.

HHS HICP guidance recommends that covered entities deploy multi-factor authentication (MFA) (p. 10) before enabling access to their email systems. MFA can prevent hackers who have obtained a legitimate user’s credentials from accessing systems. The guidance recommends that MFA be in place for web access and local client access. While it is popular to want to use IMAP or POP3 settings protocols, these might not support MFA and can leave a back door open to email mailboxes.

The guidance also recommends that MFA be enabled for remote access. For devices that are accessed remotely, the guidance recommends that covered entities leverage technologies that require MFA before permitting users to access data or applications on the device. The guidance notes that logins that use only a username and password are no longer considered truly secure, as credentials are often compromised through phishing emails.

The guidance also recommends that healthcare organizations that have IT resources or contract with vendors to manage their information systems audit the use of remote access software that is installed on endpoints to ensure they remain in use. The guidance also recommends that healthcare organizations check to make sure that MFA is enabled on software applications and operating systems.

The guidance also recommends that covered entities enable MFA for all accounts that are created for administrators, as a way of providing HIPAA-compliant role-based access.

Additionally, the guidance recommends that covered entities iImplement MFA for VPN connections used to connect to their network and systems (whether those systems are located on-premise or in the cloud).

MFA is identified as a workstation security access control, as well as a person or entity authentication control, in NIST SP 800-66 rev 2.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article