Which of the following describes multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is characterized by the use of two or more distinct methods for verifying a user's identity. This enhances security by requiring users to provide multiple forms of evidence that they are who they claim to be. Typically, these methods can be grouped into three categories: something the user knows (like a password), something the user has (such as a smartphone or security token), and something the user is (like biometric identifiers such as fingerprints or facial recognition).

Using multiple factors makes it significantly harder for unauthorized individuals to gain access, even if they manage to obtain one of the credentials, like a password. Each additional layer of verification adds more security, which is why option B accurately describes MFA.

Other options do not correctly encapsulate the concept of MFA. For instance, relying solely on a password does not provide the layered security inherent in MFA and thus does not qualify as such. Similarly, using only biometric data, or applying controls exclusively at login, does not reflect the multifaceted approach to authentication that is typical of MFA.