Multi-factor authentication (MFA) means proving who you are with more than one independent piece of evidence, drawn from different categories. The classic categories are something you know (a password or PIN), something you have (a phone, security key, or one-time-password device), and something you are (a biometric such as a fingerprint). The point is that compromising one factor does not compromise the others.
NIST Special Publication 800-63B formalizes this through “authentication assurance levels.” At AAL1, a single factor such as a memorized secret may be acceptable. At AAL2, NIST requires either a dedicated multi-factor authenticator, or the combination of “a Memorized Secret authenticator … and one possession-based … authenticator” - in other words, a password plus a second factor you physically hold.
The highest level, AAL3, is stricter still: NIST mandates hardware-based authenticators with verifier impersonation resistance, requiring “proof of possession and control of two distinct authentication factors.” This is aimed at the most sensitive systems, where even sophisticated phishing and relay attacks must be resisted.
The practical value of MFA is that it breaks the single point of failure that passwords represent. Because passwords are routinely guessed, phished, reused, or exposed in database breaches, requiring a second independent factor means a stolen password by itself is no longer enough to gain access. This is why MFA is one of the most widely recommended defenses against account takeover.