Authentication Factors and MFA Traps
Key Takeaways
- MFA is real only when factors come from different categories: know, have, are, do, or somewhere you are.
- A password plus a PIN is single-factor because both are knowledge; two prompts is not automatically MFA.
- Push MFA is vulnerable to fatigue/bombing attacks, so number matching and phishing-resistant authenticators matter.
- FIDO2/WebAuthn passkeys are phishing-resistant because they bind the credential to the origin and stay on the device.
- Risk-based (adaptive) authentication raises requirements using context: device posture, location, behavior, sensitivity.
The Five Factor Categories
Authentication proves an identity claim. Security+ loves to show you two credentials and ask whether they are genuinely different factor types. Multifactor Authentication (MFA) requires factors from two or more distinct categories.
| Category | Meaning | Examples |
|---|---|---|
| Something you know | A remembered secret | Password, passphrase, PIN, security question |
| Something you have | A physical or logical token you possess | Smart card, hardware security key, authenticator app, OTP token |
| Something you are | A biometric trait | Fingerprint, face, iris, retina |
| Something you do | A behavioral pattern | Typing rhythm, gait, signature dynamics |
| Somewhere you are | A location signal | Managed office network, geolocation, impossible-travel check |
The decisive rule: combining two items from the same category is still single-factor. Password plus PIN plus security question is one factor (knowledge) three times over. Password plus smart card is MFA; password plus fingerprint is MFA.
The MFA Quality Ladder
Not all second factors are equal. The exam wants you to rank them and to recognize their specific attacks.
| Method | Strength note | Main weakness |
|---|---|---|
| Password only | Single factor | Credential theft = full access |
| Password + PIN | Still one factor type | Both are knowledge |
| Password + SMS code | Better than password alone | SIM swap, SS7 interception, phishing |
| Password + app push | Usable and common | Push fatigue / MFA bombing |
| Password + TOTP app | Resists random push approval | Still phishable on a fake login page |
| FIDO2 / WebAuthn key or passkey | Phishing-resistant, origin-bound | Needs enrollment and recovery planning |
| Smart card (PIV) + PIN | Strong; private key stays on card | Card loss and PIN handling need controls |
Time-based One-Time Password (TOTP) codes rotate every 30 seconds but can still be typed into a phishing site. FIDO2/WebAuthn credentials are bound to the legitimate web origin and the private key never leaves the authenticator, which is why they are labeled phishing-resistant and why passkeys are the modern recommendation.
Trap Callout: Two Steps Are Not Always MFA
A password, then a security question, then a PIN is three knowledge prompts and one factor. Even a smart card plus a hardware key is two possessions, not two categories. Read for the category, never the number of prompts.
Biometrics and Their Error Rates
Biometrics are convenient but probabilistic, so SY0-701 expects three error terms:
| Term | Meaning | Why it matters |
|---|---|---|
| False Acceptance Rate (FAR) | Wrong person accepted | High FAR is a security failure |
| False Rejection Rate (FRR) | Legitimate person rejected | High FRR is a usability failure |
| Crossover Error Rate (CER) | Point where FAR equals FRR | Lower CER = a better biometric system |
Tuning the sensitivity higher lowers FAR but raises FRR, and vice versa. The CER is the standard quality comparison: between two scanners, the one with the lower CER is generally more accurate. Biometrics are also identifiers you cannot change, so a stolen fingerprint template is permanent. Always pair biometrics with a fallback, anti-spoofing (liveness detection), and privacy protection of stored templates.
Adaptive Authentication, Attack Clues, and a Scenario
Risk-based (adaptive) authentication changes requirements based on context. A login from a managed laptop on the corporate network may pass with one factor, while the same account from a new device in another country triggers a step-up challenge or a block.
| Scenario clue | Likely issue | Better control |
|---|---|---|
| Repeated push prompts late at night | MFA fatigue / bombing | Number matching, rate limiting, user reporting |
| Code typed into a fake portal | OTP phishing | FIDO2/WebAuthn or certificate-based auth |
| Attacker ports the victim's phone number | SIM swap | Avoid SMS for high-risk access |
| Logins from two countries minutes apart | Impossible travel | Risk-based challenge or block |
| New unmanaged laptop reaches payroll | Device posture risk | Conditional access + device compliance |
Scenario Walkthrough
A help desk tech gets a call from someone claiming to be a locked-out executive who recites the exec's employee ID and demands an MFA reset. Knowledge of an ID is not proof. The correct move is an approved identity-verification and reset workflow with out-of-band or manager approval, and full logging, because MFA reset is a high-risk identity event attackers target directly.
Quick Drill
| Combination | Is it MFA? | Why |
|---|---|---|
| Password + PIN | No | Two knowledge factors |
| Password + TOTP app | Yes | Knowledge + possession |
| Smart card + fingerprint | Yes | Possession + biometric |
| Password + security question | No | Two knowledge factors |
| FIDO2 key with user verification | Yes | Possession + local verification, phishing-resistant |
| Hardware key + smart card | No | Two possessions, one category |
A final exam reminder: passwordless authentication (a passkey or biometric unlocking a device-bound key) can still be multifactor when the local something you have device is unlocked by something you are or something you know. Do not assume "no password" means "single factor."
A login requires a password and a four-digit PIN. How should this be classified?
Employees keep approving unexpected push notifications because an attacker repeatedly triggers MFA prompts until someone taps accept. Which mitigation best addresses this?
Two fingerprint scanners are compared. Which single metric best indicates the more accurate device?
Which methods are generally phishing-resistant compared with a one-time code typed into a web page? Choose two.