Skip to main content
Informationssicherheit / NIS2

Multi-factor authentication

Multi-factor authentication (MFA) is a method that verifies a person's identity using at least two independent factors from different categories (knowledge, possession, inherence).

Multi-factor authentication (MFA) is a security method that grants access only after a person has proven their identity using at least two independent factors. These factors come from different categories: knowledge (e.g. a password or PIN), possession (e.g. a smartphone, hardware token or smart card) and inherence (e.g. fingerprint, face or iris recognition). Combining independent factors makes it far harder for attackers to gain access, because stealing a single factor is no longer sufficient.

MFA is considered one of the most effective measures against identity theft, phishing and compromised credentials. With the NIS2 Directive and its national transposition, MFA has gained additional weight: it is explicitly listed as a technical baseline measure for risk treatment. Affected entities must deploy MFA or continuous authentication solutions, in particular for remote access, privileged accounts and business-critical systems. The BSI IT-Grundschutz and ISO/IEC 27001 likewise require strong authentication as part of access control.

When implementing MFA, the quality of the factors is decisive: phishing-resistant methods such as FIDO2/WebAuthn or hardware security keys offer a significantly higher level of protection than SMS-based one-time passwords, which can be compromised through SIM swapping or interception. MFA should also be embedded in an overarching identity and access management framework, applied on a risk basis, and complemented by clear emergency and recovery processes for lost factors. Under NIS2, management bodies are responsible for ensuring that such measures are effectively implemented and monitored.

Legal Basis

Art. 21(2)(j) NIS2 Directive (EU) 2022/2555; ISO/IEC 27001 (A.5.17, A.8.5); BSI IT-Grundschutz (ORP.4, IDM)

Practical Example

A mechanical engineering company classified as an important entity finds during its NIS2 applicability assessment that administrators have so far accessed the remote-maintenance interfaces of its production control system with a password only. The information security officer rolls out phishing-resistant MFA using FIDO2 security keys for all privileged accounts and VPN access, stores a backup key in the safe, and documents the measure in the Statement of Applicability. At the next internal audit, the record serves as evidence that the strong authentication required under Art. 21 NIS2 is in place.

FAQ

Yes. Article 21(2)(j) of the NIS2 Directive explicitly names the use of multi-factor authentication or continuous authentication solutions as a risk-management measure. Important and essential entities must implement MFA, in particular for remote access and privileged accounts.
Independent factors come from different categories: knowledge (password, PIN), possession (token, smartphone, smart card) and inherence (biometric traits). Two passwords are not MFA, because both belong to the same category and cannot be compromised independently of one another.
Phishing-resistant methods such as FIDO2/WebAuthn or hardware security keys offer the highest level of protection. SMS- or email-based one-time passwords are more vulnerable to SIM swapping and interception and should only be used as an interim solution or for accounts with low protection needs.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

NIS 2 Directive Identity and access management Access control Privileged access management Phishing
Back to Glossary