Just a few years ago, the cost of implementing multi-factor authentication could be quite high. More recently, it has become very affordable, costing as little as $10 USD per person. MFA is therefore a more feasible strategy for even smaller businesses to adopt. It is especially useful in circumstances where users must authenticate to a system that gives them critical access to company resources or to their own PII and personal activities, like online banking. Even if the organization has systems that enforce password strength and complexity requirements, users will still tend to choose easily guessable and/or word-based passwords that a dictionary attack will make short work of. MFA can compensate for this weakness by requiring the user to also provide some other authentication, or else they will be unable to log in.

There are many authentication methods that supplement the "something you know" of password-based authentication. Perhaps the most common is a limited-time security code sent to the user's smartphone via SMS. This fulfills a "something you have" factor and can be combined with a user name and password to sign in. Since many people have smartphones, this is not an overly strict requirement, and in some cases, the organization will issue smartphones to employees for them to use on the job. Other examples of authentication factors used in MFA include smart cards ("something you have"), hardware tokens/key fobs, and biometric fingerprint scanners ("something you are").