ELI5: What is Multi-Factor Authentication?
A password is like a house key — if someone copies it, they can walk right in. Multi-factor authentication adds extra checks, like also needing your fingerprint or a special code sent to your phone. So even if a bad guy steals your password, they still cannot get in because they do not have the other pieces. It is like needing both a key and a secret handshake to open the door.
Overview
Multi-Factor Authentication (MFA) requires users to present two or more verification factors from different categories to gain access. MFA significantly reduces the risk of unauthorized access even when one factor (such as a password) is compromised. It is one of the most frequently tested topics on the Security+ exam.
Key Concepts
- Something you know: Passwords, PINs, security questions
- Something you have: Smart cards, hardware tokens (YubiKey), mobile authenticator apps, OTP devices
- Something you are: Biometrics — fingerprint, facial recognition, iris scan, voice recognition
- Something you do: Behavioral biometrics such as typing patterns or gait analysis (less common on exam)
- Somewhere you are: Geolocation or IP-based restrictions (sometimes considered a factor)
- TOTP (Time-based One-Time Password): Algorithm that generates codes valid for a short time window (e.g., Google Authenticator)
- HOTP (HMAC-based One-Time Password): Counter-based OTP that remains valid until used
- Push notifications: Authentication apps send approve/deny prompts to registered devices
- Passwordless authentication: FIDO2/WebAuthn uses public key cryptography to eliminate passwords entirely
- MFA fatigue attacks: Attackers bombard users with push notifications hoping they approve one
- Biometric types: Retinal scan (blood vessel pattern), iris scan (colored ring pattern), facial recognition, voice recognition, gait analysis (walking pattern), vein/vascular pattern
- FAR (False Acceptance Rate): Probability of incorrectly accepting an unauthorized user (Type II error)
- FRR (False Rejection Rate): Probability of incorrectly rejecting an authorized user (Type I error)
- CER (Crossover Error Rate): Point where FAR equals FRR; lower CER indicates more accurate biometric system
Exam Tips
Remember
Two passwords = NOT MFA (same factor category). MFA requires factors from DIFFERENT categories. A password + PIN = single factor (both “something you know”). A password + fingerprint = true MFA.
- Know the difference between MFA and two-factor authentication (2FA is a subset of MFA)
- Biometric errors: FAR (False Acceptance Rate) vs. FRR (False Rejection Rate) — CER (Crossover Error Rate) is the balance point
- SMS-based OTP is considered weaker due to SIM swapping and SS7 vulnerabilities
Connections
- Strengthens identity-management by adding layers beyond password-only authentication
- Essential component of sso to protect the single point of authentication
- Mitigates password-attacks — even if credentials are stolen, a second factor is needed
- Key control in privileged-access-management for protecting high-risk accounts
Practice Questions
Q-Bank: Multi-Factor Authentication (4 Questions)
Q1. An organization requires employees to enter a password and a four-digit PIN to access the corporate VPN. A security consultant reviews this setup and identifies a weakness. What is the PRIMARY issue?
A. The PIN should be at least eight digits long B. Both factors are “something you know,” so this is not true multi-factor authentication C. The VPN should use biometric authentication exclusively D. Passwords and PINs should never be used together
Show Answer B. Both factors are "something you know," so this is not true multi-factor authentication
True MFA requires factors from DIFFERENT categories. A password and a PIN are both something-you-know factors, making this single-factor authentication with two instances. Option A addresses PIN strength but does not fix the single-factor problem. Option C is impractical for VPN access and eliminates other valid factor types. Option D is incorrect — passwords and PINs can be used together if combined with a factor from a different category.
Q2. An employee reports receiving dozens of push notification authentication requests on their phone at 2 AM, even though they are not trying to log in. An attacker has obtained the employee’s password and is attempting to gain access. What type of attack is this?
A. SIM swapping B. MFA fatigue attack C. Credential stuffing D. Keylogging
Show Answer B. MFA fatigue attack
mfa-fatigue-attacks involve attackers repeatedly triggering push notifications, hoping the user will accidentally or frustratedly approve one to stop the notifications. Option A involves convincing a carrier to transfer a phone number, not bombarding with push requests. Option C is testing stolen credentials across multiple sites, not targeting push notifications. Option D captures keystrokes, which is how the password was likely obtained initially but is not the current attack.
Q3. A bank is evaluating biometric authentication for its high-security vault access. The security team is concerned about unauthorized individuals being falsely accepted. Which metric should they prioritize minimizing?
A. False Rejection Rate (FRR) B. Crossover Error Rate (CER) C. False Acceptance Rate (FAR) D. Token expiration time
Show Answer C. False Acceptance Rate (FAR)
For high-security environments, minimizing the FAR (False Acceptance Rate) is critical because it measures how often unauthorized users are incorrectly granted access. Option A (FRR) measures how often legitimate users are rejected — annoying but not a security breach. Option B (CER) is the balance point between FAR and FRR, not a tuning target for maximum security. Option D relates to token-based authentication, not biometrics.
Q4. An organization is deploying FIDO2/WebAuthn security keys to replace passwords for employee authentication. Which category BEST describes this approach?
A. Single-factor biometric authentication B. Passwordless authentication using public key cryptography C. Knowledge-based authentication D. Time-based one-time password authentication
Show Answer B. Passwordless authentication using public key cryptography
WebAuthn uses public key cryptography to eliminate passwords entirely — the private key stays on the device while only the public key is shared with the service. Option A describes biometrics alone, which may be a component but not the full description. Option C describes passwords, PINs, and security questions — the opposite of passwordless. Option D describes TOTP, which is a different mechanism.
Scenario
See case-mfa for a practical DevOps scenario applying these concepts.