Real 2FA Security

Your cell phone isn't designed to be a secure authentication device.

Multifactor is.

Two factor authentication codes are securely encrypted and stored on our servers.
Multifactor is secured with EV-SSL by Comodo. Multifactor is AICPA SOC compliant. Multifactor is ISO-27001 compliant. Multifactor is secured and protected against the OWASP Top 10 vulnerabilities. Multifactor was built with CSA (Cloud Security Alliance) best practices in mind. Multifactor is compliant with the US-EU Safeharbor laws. Multifactor is McAfee Secure, and our website is scanned for malware and vulnerabilities daily.

Security is at our core.

Multifactor was created when we realized that most people still receive 2FA codes via SMS messages on their cell phones, exposing them to a series of vulnerabilities and exploits. Multifactor's patent-pending system utilizes custom-designed virtual phones to securely receive 2FA codes.

  Try for Free

Truly secure 2FA for all your accounts.

Cell Phone Multifactor
Physical Access to Cell Phone  Critical Vulnerability  Not Vulnerable
On-Premise SIM Card Swap  Critical Vulnerability  Not Vulnerable
Remote SIM Card Swap  Known Exploit  Not Vulnerable
IMSI Catchers  Known Exploit  Not Vulnerable
SS7 Vulnerabilities  Plausible Exploit  Not Vulnerable
Spyware / Remote Access  Plausible Exploit  Not Vulnerable

  A note from our Lawyers:

Multifactor goes above and beyond the industry-standard security measures, but there's no such thing as a perfectly impenetrable system. This page exists for marketing purposes and, for security reasons, only contains an approximation of Multifactor's true system architecture. Our Terms of Service takes precidence for the specifics of our warranties.

Take a tour of Multifactor's Infrastructure

Starting at your browser, we'll take a deep dive into how Multifactor serves a single page request.

2FA codes are displayed in your browser through our secure Web Application.

Your Browser

Multifactor can work securely on Chrome, Safari, Opera, Firefox, and Internet Explorer.

We don't store any sensitive data on your browser — cookies are only used for session tracking and analytics.

If you're concerned about others that have access to your computer, we have settings available to hide your login codes from onlookers. You can even require a 5-digit PIN to access your dashboard.

We use 256-Bit EV-SSL to encrypt your data while in transit.

256-Bit EV SSL

We use 256-Bit Extended Validation (or "Green bar") SSL / TLS encryption on all requests, making man-in-the-middle attacks impossible. Any insecure (HTTP) requests are redirected to a secure connection before serving any data.

Our Web Application Firewall (WAF) defends against a variety of attacks including SQLi, XSS, and CSRF attacks.

WAF and DDoS Mitigation Layer

All requests must pass through a secure Web Application Firewall (WAF) layer. Here, we apply a carefully-constructed ruleset to defend against a variety of attacks. Our firewall can:

  • Detect and mitigate Layer 3/4 and Layer 7 DDOS attacks
  • Defend against every OWASP Top 10 Vulnerability
  • Prevent suspicious requests from known threats
  • Implement Zero-Day Defence within hours of first disclosure

Powered by CloudFlare and AWS WAF

We use a secondary 256-Bit SSL certificate to ensure end-to-end encryption.

Secondary SSL

To ensure complete end-to-end encryption, we use a secondary SSL certificate in between our WAF and our own servers. At this point, requests are also digitally signed so that nobody can circumvent our firewall.

Web and API requests are served by our industrial datacenters around the world.

Infrastructure and Data Centers

System Status:    Healthy

99.9% Historical Uptime

We outsource our infrastructure for data storage, content delivery (CDN), email delivery, and more. Our infrastructure providers are all industry leaders, and their facilities feature:

  • 24/7/365 On-Site Security
  • SSAE16 or ISO 27001 Compliance
  • Biometric Scans and CCTV Surveillance
  • Multifactor Response Team On-Call 24/7

Powered by AWS and DigitalOcean

Application Software

Our unique authentication system evaluates dozens of factors to determine whether a given login should be accepted.

Ultra-Secure Logins

Multifactor utilizes a one-of-a-kind intelligent login system that evaluates dozens of factors (such as IP address, geolocation, browser, OS, etc.) to calculate a confidence score for each attempted login. If there's any doubt that a login is legitimate, we use this same intelligence to present the most appropriate challenges until we're 100% confident that it's you.

Secure Development Process:

We hire third-party security professionals to penetration test our code.

3. Penetration Testing

In addition to continuous internal testing, we hire external penetration testing firms at several times per year. We also have an ongoing bug bounty program.

Our developers are trained in OWASP and CSA best practices to ensure our code is secure.

1. Development

Our developers share our commitment to security. We require that all of our developers have at least basic cybersecurity training (OWASP and CSA).

Our software is quality-assurance tested by software tools which scan every line of code.

2. Quality Assurance

Every line of code is analyzed by a custom suite of both internal and third-party security tools. A manual review is then performed by our security team before publication.

Multifactor's software was written with security best practices in mind.
You can pay for Multifactor with PayPal, American Express, Visa, MasterCard, Discover, or Bitcoin.

Payment Processing

We use Braintree, a PayPal company, to process our credit card transactions via Both Braintree and Recurly are highly trusted and fully PCI-Compliant organizations. Sensitive credit card data is never stored on our own servers, and we are certified to be in compliance with the SAQ-A-EP standard.

Your 2FA codes are encrypted and stored in a secure SQL database.

Data Storage


Data used for authentication, including passwords and PIN codes, are hashed and salted before being stored in our database. We use a version of the blowfish algorithm that allows for variable hash strength, allowing us to continually increase the strength of our hashes to stay ahead of increasing brute-force speeds.

Encryption at Rest

We use an encrypted data structure that ties every piece of data to a specific user account. That means that nobody — not even our own employees — can decrypt and read data under someone else's account.

Each virtual phone is encrypted with its own unique key. Multifactor users can only decrypt and access their own dedicated phones.

Virtual Phones

Every Multifactor customer gets a dedicated virtual phone, hosted in its own virtualized environment and completely isolated from the virtual phones of every other customer. Each virtual phone is individually encrypted and can only be accessed via its corresponding Multifactor account. That means that when your virtual phone receives an SMS message, only the Multifactor account that the virtual phone is tied to can access the phone's contents and decrypt the message.

Phone Network

Multifactor has partnered directly with a US cellphone carrier (a CLEC), which means that our virtual phones are connected to the national cell phone network just like a mobile phone. Our CLEC is a FCC-registed phone carrier and as such is held to the same security standards of any other US cellular service provider (including NIST SP 800-13).

Multifactor's virtual phones are wired directly into the national and international phone networks to quickly receive 2FA codes.

Multifactor's Infrastructure, Your Accounts

Sign up for free to instantly enjoy the benefits of Multifactor's secure infrastructure defending your accounts. If you're still using your cell phone for 2FA, you're doing it wrong.