Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is an access control method that requires a user to provide two or more independent credentials to verify their identity before gaining access to a system, application, or data. It is widely used to protect IT and OT environments, including MES, ERP, quality systems, remote access to plant networks, and administrative portals.

Core concept

MFA combines credentials from at least two different categories:

• Something you know: passwords, PINs, answers to security questions
• Something you have: hardware tokens, smart cards, mobile authenticator apps, SMS codes, FIDO security keys
• Something you are: biometric identifiers such as fingerprints, facial recognition, or iris scans

If two credentials come from the same category (for example, two passwords), it is not considered MFA.

Use in industrial and regulated environments

In industrial operations, MFA commonly applies to:

• Remote access to OT networks, SCADA, DCS, and plant-floor equipment
• Access to regulated systems such as MES, QMS, PLM, and ERP handling export-controlled or sensitive technical data
• Administrative and privileged accounts for system configuration, user management, and security settings
• Cloud-hosted applications used for production planning, quality documentation, digital travelers, and audit records

MFA is frequently referenced in cybersecurity frameworks and requirements for regulated manufacturing, such as controls related to remote access, privileged accounts, and protection of sensitive information. It is a technical control that can support alignment with security and defense-related standards, but it does not by itself indicate overall compliance.

Operational considerations

When applied to manufacturing and industrial operations, MFA typically needs to account for:

• Shared workstations and terminals on the shop floor, where multiple operators may log into a common station
• Usability at the line, ensuring MFA does not prevent timely access to work instructions, travelers, or quality records
• Integration with directory services such as Active Directory or identity providers used across MES, ERP, and other systems
• Network segmentation, where MFA may be required for crossing from corporate IT networks into OT or secure zones

Common confusion

• MFA vs. Two-Factor Authentication (2FA): 2FA is a specific case of MFA that uses exactly two factors. MFA is a broader term that covers two or more factors.
• MFA vs. strong passwords: Complex passwords alone are not MFA. At least two distinct factor categories must be used.
• MFA vs. single sign-on (SSO): SSO provides a unified login across systems, while MFA adds additional verification steps. Many deployments combine SSO with MFA.

Relation to cybersecurity and compliance

MFA is commonly referenced in cybersecurity and defense-related guidelines, including those addressing controlled unclassified information, export-controlled data, or access to cloud-hosted manufacturing systems. In this context, MFA is treated as one of several technical access controls that can help reduce the risk of unauthorized access to sensitive production data, engineering documents, and quality records.