Authentication Factors and MFA Traps
Key Takeaways
- MFA is strongest when factors come from different categories: know, have, are, do, or somewhere you are.
- A password plus a PIN is not true MFA because both are knowledge factors.
- Push-based MFA can be abused by fatigue attacks, so number matching and phishing-resistant authenticators matter.
- Biometrics are convenient identifiers but require fallback, privacy protection, and anti-spoofing controls.
- Risk-based authentication adjusts requirements based on context such as device, location, behavior, and sensitivity.
Authentication Factors and MFA Traps
Authentication proves an identity claim. Security+ questions often include two credentials and ask whether they are actually different factor types.
| Factor category | Meaning | Examples |
|---|---|---|
| Something you know | Secret remembered by the subject | Password, passphrase, PIN |
| Something you have | Physical or logical authenticator held by the subject | Smart card, hardware security key, authenticator app, OTP token |
| Something you are | Biometric trait | Fingerprint, face, iris |
| Something you do | Behavioral pattern | Typing rhythm, gesture pattern |
| Somewhere you are | Location signal | Managed office network, geolocation, impossible travel check |
MFA Quality Ladder
| Method | Strength note | Main trap |
|---|---|---|
| Password only | Single factor | Credential theft gives access |
| Password plus PIN | Still one factor type | Both are something you know |
| Password plus SMS code | Better than password alone | SIM swap, interception, phishing risk |
| Password plus app push | Common and usable | Push fatigue or accidental approval |
| Password plus TOTP app | Better resistance to random push approval | Still phishable on fake login pages |
| FIDO2/WebAuthn security key | Strong phishing resistance | Requires enrollment and recovery planning |
| Smart card with PIN | Strong when private key remains on card | Card loss and PIN handling need controls |
Trap Callout: Two Steps Are Not Always MFA
Two prompts do not automatically mean multifactor authentication. A password, a security question, and a PIN are all knowledge. A password plus a smart card is MFA. A password plus a fingerprint is MFA. A smart card plus a hardware key may be two possessions, but it is not two different factor categories.
MFA Attack Clues
| Scenario clue | Likely issue | Better control |
|---|---|---|
| User receives repeated push prompts late at night | MFA fatigue | Number matching, rate limiting, user reporting |
| User enters code into fake portal | Phishing of OTP | FIDO2/WebAuthn or certificate-based auth |
| Attacker ports victim phone number | SIM swap | Avoid SMS for high-risk access |
| Login from two countries within minutes | Impossible travel | Risk-based challenge or block |
| New unmanaged laptop accesses payroll | Device posture risk | Conditional access and device compliance |
Scenario Walkthrough
A help desk technician receives a call from a person claiming to be a locked-out executive. The caller knows the executive's employee ID and asks for MFA reset. The best response is not to trust the caller's knowledge. Use an approved identity verification and reset workflow, require manager or out-of-band approval if policy says so, and log the reset. MFA reset is a high-risk identity event.
Quick Drill
| Combination | Is it MFA? | Why |
|---|---|---|
| Password plus PIN | No | Two knowledge factors |
| Password plus TOTP app | Yes | Knowledge plus possession |
| Smart card plus fingerprint | Yes | Possession plus biometric |
| Password plus security question | No | Two knowledge factors |
| FIDO2 key with user verification | Yes | Possession plus local verification, often phishing resistant |
A login requires a password and a four-digit PIN. How should this be classified?
Employees are approving unexpected push notifications because attackers repeatedly trigger MFA prompts until someone accepts. Which mitigation best addresses this?
Which methods are generally stronger against phishing than one-time codes typed into a web page? Choose two.
Select all that apply