LoginOS
← Fundamentals

Multi-factor authentication

A second factor is only as good as its fallback — design the whole chain, not just the happy path.

MFA reduces account takeover risk dramatically, but most of its real-world failures happen in the parts teams design last: enrollment, recovery, and device loss.

Where products get this wrong

Teams ship a single MFA method (usually SMS or TOTP) and treat it as complete. When a user loses their phone, there’s no documented path back in — support ends up doing manual identity verification over email, which is slower and less secure than the MFA it was meant to protect.

What good looks like

MFA and passkeys solve overlapping problems; the difference is where the cryptographic proof lives.