Strong authentication is a method of user verification that is considered robust enough to withstand attacks on the system on which users are authenticating. Multi-factor authentication (MFA) is one of the best options for establishing trust with users, but true strong authentication goes beyond MFA or two-factor authentication (2FA). To qualify as strong authentication, a system must:

• Not rely solely on shared secrets/symmetric keys at any time. This includes passwords, codes, and recovery questions.

• Strongly repudiate identity theft and credential phishing. No matter how much users are educated about phishing or social engineering, some attacks will succeed. Strong authentication assumes that failures are inevitable and prevents them.