Multi-factor authentication (MFA) is widely recommended as a measure to improve security. Yet the security that it provides varies dramatically from system to system. Misunderstandings of the security properties offered by any particular MFA system may lead people to engage in dangerous behavior that they otherwise wouldn’t engage in. We have observed that some users believe MFA makes it safe for them to handle secrets on a compromised computer as long as some other authentication factor remains uncompromised. Another is that the use of MFA may lead people to use weaker encryption passwords, thereby strengthening a less crucial part of their security (authentication), while weakening a far more important component. The benefits of offering MFA must be weighed against the potential security damage that may result from behaviors that MFA usage might encourage. Either MFA security properties need to be communicated effectively to users or its actual security properties need to be brought into line with users’ expectations.