Is It a Recommended/Best Practice to Use Email as a Component in Two Factor Authentication?

Problem scenario
You want to implement a secure protocol for authentication. You want there to be a password and a second factor of authentication. Can an email (being in possession of an inbox) be a factor in MFA?

Answer
Maybe.

No, according to NIST: https://pages.nist.gov/800-63-FAQ/
But many companies do use email as a factor in multi-factor authentication.

Leave a comment

Your email address will not be published. Required fields are marked *