Authentication is the proving of one's identity whether authenticating a user or a device. This establishes trust between communicating parties.
Authentication allows users and devices to identify themselves to systems before gaining access. In the case of user authentication, it might be done via username and password or if the user has a smart card in the possession and knowledge of a pin that too could be used to authenticate the user.
After successful authentication, authorization determines user access to data resources that the user has been granted permissions to. There are number of authentication factors that can be used including something you know, something you have and something you are.
Single-factor authentication uses just one of these authentication factors. So, for example, authenticating with username and password despite there being two items, is still considered single-factor authentication. And that's because the both are something the user knows.
Another example would be using a building access card. That's still single-factor authentication. It’s something the user must physically have. Bio metric authentication is authentication information based on unique attributes of a person such as their fingerprints scan or a retinal scan. If it's the only method used, it's still single-factor authentication.
Multi-factor authentication employs a variety of these authentication methods. For example, we might have to have a card in our possession, which is something you have plus you might to have to have knowledge of a PIN to use the card, which is something we know. This is an example of multi-factor authentication.
The same thing is possible if we're using multiple bio metric attributes. Access tokens are often used to authenticate VPNs. So, the user must physically have the access token device that has a changing numeric code, but often the user must also have knowledge of a PIN before authenticating to a system.
With mobile devices, often what we'll do if we need to authenticate for an app is we'll specify our mobile phone number and we'll receive the text message with a code. This often occurs after we've logged into a website with our credentials. So, we've got multi-factor authentication, and now we have authenticated to the web with something we know. And then we've received an additional passcode on something we have, our mobile device.