MFA, Password Policy, SSO, and Federation

Key Concepts

Authentication strength depends on both the proof used and the way the process is operated. A password alone is a single knowledge factor. If the password is reused, guessed, phished, or stolen from another site, the attacker may be able to sign in. Multi-factor authentication, or MFA, reduces that risk by requiring proof from more than one factor category.

The classic factor categories are something you know, something you have, and something you are. Something you know includes a password, passphrase, or PIN. Something you have includes a hardware security key, smart card, mobile authenticator app, or one-time password token. Something you are includes biometrics such as a fingerprint or face recognition. Some programs also discuss somewhere you are, such as location, and something you do, such as typing pattern or behavior. For the exam, remember that two passwords are not true MFA because they are both knowledge factors.

Not all MFA methods provide the same resistance to attack. A hardware security key or phishing-resistant authenticator is generally stronger than SMS codes because SMS can be affected by SIM swap, interception, or social engineering. Push approval is convenient, but users can be trained or tricked into approving unexpected prompts. A practical beginner rule is: require MFA for remote access, privileged access, financial systems, email, and identity administration, then tune the method to the risk.

Password policy should improve security without creating predictable workarounds. Extremely frequent forced password changes can lead users to choose patterns such as Spring2026! and Summer2026!. Better policy emphasizes adequate length, blocking known compromised passwords, preventing reuse, protecting reset workflows, and using MFA. A passphrase can be easier to remember and harder to guess than a short complex password. Password managers help users create unique passwords for different services.

Single sign-on, or SSO, lets users authenticate once through a central identity provider and then access multiple applications. The benefit is not merely convenience. Centralized authentication makes it easier to enforce MFA, disable access when someone leaves, apply conditional access rules, and monitor sign-in behavior. Without SSO, every application may have its own local account, password policy, and offboarding process.

Exam Application

Federation extends trust across systems or organizations. In a federated model, an application trusts an identity provider to authenticate the user and send identity information, often called claims or assertions. For example, an employee may sign in through the company's identity provider and then access a cloud application without a separate password stored by that application. Common federation technologies include SAML, OAuth 2.0, and OpenID Connect at a beginner awareness level. You do not need deep protocol detail for CC, but you should know that federation depends on trust relationships and exchanged identity information.

Consider a company that moves payroll to a cloud provider. A weak approach creates local payroll accounts and asks employees to remember another password. A stronger approach integrates the payroll application with the company's identity provider, requires MFA, maps payroll roles to job duties, and disables access automatically when employment ends. The payroll vendor relies on the identity provider for authentication, while the payroll application still makes authorization decisions about what the user can do inside payroll.

For exam scenarios, identify the problem. If users have too many passwords and inconsistent enforcement, SSO may be the best answer. If an organization needs to trust identities from another provider, think federation. If a password alone is too weak for the risk, think MFA. If users choose weak or reused passwords, think password policy, password managers, monitoring, and MFA together.

High-Yield Checkpoints

• MFA is stronger when it combines different factor categories, such as something you know and something you have.
• Common authentication factors are knowledge, possession, inherence, location, and behavior.
• Password policy should reduce predictable passwords while supporting usability and secure recovery.
• Single sign-on lets users authenticate once and access multiple systems through a trusted identity provider.
• Federation allows one organization or identity provider to assert identity information to another system using trust relationships.