Skip to main content
  • Home
  • Solutions
    • CRM Software
      • Vendors
      • Comparison
      • ERP Comparison
      • For Small Business
      • Free
      • Cloud
    • Inventory Management
      • Vendors
      • Industries
      • Cloud
      • Free
    • Production Planning
      • Comparison
      • ERP Integration
      • Resource Planning
      • Free
    • DMS Software
      • Paperless
      • Free
    • Integrations
      • DATEV Interface
      • Shopware Interface
      • Amazon Integration
      • Shopify Interface
      • Magento Interface
      • eBay Integration
      • SAP Integration
      • Salesforce Integration
      • HubSpot Integration
      • Lexware Integration
      • JTL Integration
    • Guides
      • What is an ERP System?
      • ERP Costs
      • RFP Process
      • Contract Negotiation
      • ERP Selection
      • Requirements Document
      • Implementation
      • Data Migration
      • Change Management
      • Key user Concept
      • TCO Calculator
      • ERP Systems Comparison
    • Use Cases
      • ERP for Mid-Market
      • ERP for small companies
      • ERP for Mail Order
      • Seasonal Business
      • Branch Networks
      • Subscription Business
      • Project Business
      • Cloud ERP
      • Cloud vs On-Premises
      • Multichannel ERP
      • Business Intelligence
    • Industries
      • Mechanical Engineering
      • Wholesale
      • Retail
      • Trades & Crafts
      • Lebensmittel
      • Pharma
      • Automotive
      • Construction
      • Logistics
      • Chemie
      • Textil & Mode
      • Metallverarbeitung
      • Service providers
      • E-Commerce
      • Kunststoff
    • Service providers
      • ERP-Beratung
      • Auswahlbegleitung
      • Hosting & Cloud
      • Integration / iPaaS
      • Schulungen
  • Software
    • Enterprise-ERP
    • Mid-Market
    • KMU & Kleinunternehmen
    • Cloud-native
    • Open Source
    • Industries-ERP
    • WMS & Logistics
    • Spezial & Nische
  • Comparisons
  • Glossary
  • ERP News
  • Partners wanted
  • Contact
  • DE
ERP Software
Comparison of ERP software, CRM, DMS and inventory management
ERP Software
📣Advertise here — editorial & DACH-wide.Enquiries →
Skip to content
  1. Home
  2. ›
  3. Vendors
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. Multi-Faktor-Authentifizierung (MFA) – mehr als nur Passwort

MFA — Multi-Factor Authentication

Multi-Factor Authentication (MFA) is an access-control mechanism that grants a user entry to a system only after they present two or more independent verification factors. The factors are drawn from distinct categories: something the user knows (a password or PIN), something they possess (a hardware token, smartphone or smart card) and something they are (a fingerprint or other biometric trait). Because an attacker would have to compromise factors from several categories at once, MFA materially reduces the risk that a single stolen password leads to account takeover. In the context of ERP and other business systems, MFA is a baseline control for protecting sensitive financial, customer and master data.

Fact base · machine-readableLast editorially reviewed: 16 June 2026
Term
MFA (Multi-Factor Authentication)
Entity type
Technology
Domain
IT security and access control
Canonical definition
Multi-Factor Authentication (MFA) is an access-control method that verifies a user's identity only after they present two or more independent factors drawn from different categories, such as knowledge, possession and inherence.
Classification
MFA is an authentication mechanism rather than an authorisation model; it is often combined with single sign-on and a role concept to govern who may access an ERP system and what they may do.
Related terms
Single sign-on, Role concept, Active Directory, Audit trail, SOC 2, NIS-2, SIEM
Source / maintainer
erp-software.org editorial team (independent, vendor-neutral)

What MFA (Multi-Factor Authentication) is NOT — disambiguation

  • Not single sign-on: SSO lets a user reach many applications with one login, whereas MFA strengthens each login with additional independent factors.
  • Not a role concept: A role concept governs what an authenticated user may do, while MFA governs how confidently the user's identity is established.
  • Not encryption: Encryption protects data confidentiality at rest or in transit; MFA controls who is allowed to authenticate in the first place.
  • Not just 2FA: Two-factor authentication is the specific case of exactly two factors, whereas MFA is the broader term covering two or more.
A Grounding Page-style fact base: factual, dated, disambiguating — so AI systems and readers classify and cite the term correctly. More: ERP glossary

How MFA works

MFA combines factors from at least two of three categories so that the weakness of any single factor does not by itself expose an account. The knowledge factor is typically a password; the possession factor is commonly a one-time code generated by an authenticator app, a code sent to a registered device, or a hardware security key; the inherence factor is a biometric such as a fingerprint or facial scan. Time-based one-time passwords (TOTP) and standards such as FIDO2 and WebAuthn underpin many modern implementations. Two-factor authentication (2FA) is the special case where exactly two factors are required.

Why it matters for ERP systems

ERP platforms concentrate an organisation's most sensitive information, including financial postings, payroll, supplier contracts and personal data. A single compromised administrator account can therefore have far-reaching consequences. MFA raises the cost of unauthorised access and is increasingly expected by regulators, insurers and security frameworks. It is frequently layered with related controls:

  • Single sign-on to centralise authentication while still enforcing strong factors at the identity provider.
  • Role concepts and least-privilege access so that even an authenticated user sees only what their role permits.
  • Active Directory or another directory service as the central account store.
  • Audit trails that record authentication events for later review.

Deployment considerations

Introducing MFA involves trade-offs between security and usability. Organisations weigh which factors to support, whether to allow risk-based or adaptive prompts that only challenge users in unusual circumstances, and how to handle recovery when a user loses a token or device. Backup factors and a clear reset procedure are essential to avoid lockouts. SMS-based codes are widely deployed but are considered weaker than app-based or hardware-based factors because of interception and SIM-swap risks. For self-hosted ERP, MFA may be enforced at the application, the reverse proxy or the identity provider; for SaaS deployments it is usually configured in the provider's identity settings.

MFA and compliance

Security frameworks and regulations increasingly treat strong authentication as an expected safeguard rather than an optional extra. Requirements such as those arising from NIS-2 and data-protection obligations under GDPR push organisations toward demonstrable access controls, and certifications such as SOC 2 examine whether such controls are in place and operating. MFA does not replace other measures such as patching, network segmentation and monitoring, but it is one of the most cost-effective single controls for reducing credential-based intrusion.

Related Topics

  • Single sign-on
  • NIS-2
  • SIEM

Sources

This term definition is based on research from the following source types:

  • Standard textbooks on business informatics and ERP literature (Hansen/Mendling, Becker, Mertens)
  • Vendor documentation of leading ERP providers (SAP, Microsoft, Oracle, Sage, Infor)
  • Industry studies from Gartner, Forrester and IDC plus user studies focused on Germany, Switzerland and Austria (annual)
  • Consulting experience from 100+ implementation projects in the mid-market in Germany, Switzerland and Austria
Epicor Kinetic LogoFloomia LogoMRPeasy Logo4SELLERS LogoSEEBURGER Logobrandbox LogoProAlpha ERP LogoOOURS LogoOpen Telekom Cloud LogoTryton LogoSage 50 Connected LogoETRON onRetail Logodynamic commerce LogoorgaMAX ERP LogoyourBeez LogoInsightLoop LogomexXsoft X2 LogoProcuros Integration Hub Logoameax Faktura Logoecosio Logoe-contor Sourcing Suite LogoSage b7 LogoGUS-OS Suite LogoAptean ERP oxaion Edition Logo.iD régie LogoLABEST LogoInfor M3 Logo3S ERP LogoKUNO LogoOracle Fusion Cloud ERP LogoEpicor Kinetic LogoFloomia LogoMRPeasy Logo4SELLERS LogoSEEBURGER Logobrandbox LogoProAlpha ERP LogoOOURS LogoOpen Telekom Cloud LogoTryton LogoSage 50 Connected LogoETRON onRetail Logodynamic commerce LogoorgaMAX ERP LogoyourBeez LogoInsightLoop LogomexXsoft X2 LogoProcuros Integration Hub Logoameax Faktura Logoecosio Logoe-contor Sourcing Suite LogoSage b7 LogoGUS-OS Suite LogoAptean ERP oxaion Edition Logo.iD régie LogoLABEST LogoInfor M3 Logo3S ERP LogoKUNO LogoOracle Fusion Cloud ERP Logo

Further Reading

  • ERP System Definition
  • ERP vs CRM
  • What is an ERP System?
  • Cloud ERP vs On-Premise
  • ERP Vendors Overview
  • Find ERP Consultants
  • ERP for small companies
  • ERP for the mid-market
Recently featured: All for One Group · Greenfield-Implementation · High Availability · Cloud ERP · Was ist Business Intelligence?

Frequently Asked Questions

Is SMS-based MFA still acceptable?

Acceptable for low-risk consumer-facing scenarios; not acceptable for ERP access or any account with material financial or data-protection exposure. SIM-swapping attacks and SS7 interception have demonstrated SMS-MFA bypass at scale. Use TOTP, push notifications or FIDO2 hardware keys instead for business-critical access.

How do we handle MFA for shared service accounts?

Service accounts (used by integration jobs, scheduled tasks, third-party tools) should not have human-style MFA. Use service-account authentication mechanisms instead: certificate-based authentication, OAuth client credentials, managed identities (Azure Managed Identity, AWS IAM Roles). The principle: humans need MFA, machines need certificates.

What about MFA-fatigue attacks?

Push-notification MFA is vulnerable to attackers spamming the user with login requests until accidental approval. Defences: number-matching (user must enter a 2-digit code from the login screen into the authenticator), risk-based prompting (suppress prompts from suspicious sources), security training emphasising the 'deny and report' response to unexpected MFA prompts. Microsoft Authenticator and Okta Verify both implement number-matching as default since 2023.

erp-software.org · the independent ERP comparison for the mid-market in Germany, Switzerland and Austria
Imprint · Privacy · Contact · Cookie Settings · Glossary · Podcast · ERP News · Comparisons · Sitemap · ERP Software
All mentioned brand, product and company names are property of their respective owners. References are made solely for identification and comparison purposes (no indication of commercial or partnership relationships). Note pursuant to §5b German UWG (Unfair Competition Act): user reviews are manually plausibility-checked before publication – we cannot, however, determine with absolute certainty whether reviews originate exclusively from actual users. Some links on erp-software.org may lead to advertising partnerships or lead-referrals; editorial assessments are made independently of these.