When you sign into an online service, you’re required to provide a username to identify who you are and a password to prove that you are who you say you are. Anyone can claim that they’re romanhn on GitHub, but only I know my GitHub password. But if a hacker breaches GitHub’s servers and publishes a list of everyone’s password,1 knowing my password is no longer proof of anything. This is the motivation behind two- or multi-factor authentication (MFA): to access my GitHub account, not only would you have to know my password, but you’d need to authenticate yourself using an additional factor, like tapping a notification on my phone.
I’ll use the “Swiss cheese model”, shown above, to explain how multi-factor authentication provides security through redundancy. If a hacker can bypass one hole (knows my password) they have to find a hole in another layer (get me to tap the notification) in order to hack my account.
Each layer should be a different category because different factors in the same category are often breached simultaneously, as if they were sliced from the same section of the cheese block so their holes were in similar places. For example, if I fell victim to a phishing attack, the hacker would discover all the “pieces of information only I know” in one fell swoop. Asking the hacker “what was the name of your first pet?” doesn’t provide any additional security if they discovered my password and my first pet’s name at the same time.