How Multi-Factor Authentication Works in Salesforce ?

MFA requires users to prove they’re who they say they
are by providing two or more pieces of evidence – or
factors – when they log in.
One factor is something the user knows, such as
their username and password combination. Other
factors are verification methods that the user has,
such as an authenticator app or security key.
By tying user access to multiple, different types
of factors, it’s much harder for a bad actor to
gain entry to your Salesforce environment. Even
if a user’s password is stolen, the odds are very
low that an attacker can guess or impersonate a
factor that a user physically possesses.