4.4 Identity & access management
📘CompTIA Security+ (SY0-701)
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a security method that requires two or more verification factors to confirm a user’s identity before granting access to a system, network, or application.
The main goal of MFA is to make it harder for attackers to gain access, even if they know the user’s password.
Why MFA is Important
Passwords alone are not enough because:
- Users often reuse or choose weak passwords.
- Attackers can steal or guess them through phishing or brute-force attacks.
By requiring an extra step (like a code, fingerprint, or key), MFA adds another layer of protection to verify that the person logging in is legitimate.
🔑 MFA Factors (Types of Authentication Factors)
Each authentication factor falls into a specific category (factor type).
For MFA to be effective, the factors must come from different categories.
Here are the main authentication factors used in MFA:
1. Knowledge Factor – “Something You Know”
This is information the user knows, which only they should be aware of.
Examples:
- Passwords
- PINs (Personal Identification Numbers)
- Security questions (e.g., “What was your first school?”)
- Passphrases
Weakness:
If someone discovers or steals this information (through phishing or social engineering), they can impersonate the user.
Exam Tip:
Knowledge factors alone = Single-Factor Authentication (SFA).
Adding another factor = MFA.
2. Possession Factor – “Something You Have”
This factor requires the user to physically possess a device or object.
Examples:
- Hardware tokens – Small devices that display a temporary code (one-time password).
- Software tokens – Apps (like an authenticator app) that generate verification codes.
- Smart cards – Physical cards (often with embedded chips) used for secure access.
- Security keys – USB or NFC devices (like YubiKey) that verify identity.
- Mobile devices – Used to receive SMS or app-based verification codes.
Exam Tip:
If a user must use a phone, token, or key to log in, that’s a possession factor.
3. Inherence Factor – “Something You Are”
This factor uses unique biological or behavioral traits of the user.
Examples (Biometrics):
- Fingerprint scanning
- Facial recognition
- Iris or retina scans
- Voice recognition
- Hand geometry
Advantages:
- Very hard to replicate or steal.
- Provides a strong form of authentication.
Disadvantages:
- Can be costly to implement.
- May raise privacy concerns.
Exam Tip:
Anything involving physical characteristics = inherence factor.
4. Location Factor – “Somewhere You Are”
This factor verifies the geographical location of the user at login.
Examples:
- Logging in from a specific country or region (based on IP address).
- Access only allowed from the company’s physical office network.
- Using GPS data from a mobile device to verify login location.
Exam Tip:
Used in context-aware authentication, which adapts access based on location and other factors (like time).
5. Time Factor – “Something You Do at a Specific Time” (sometimes grouped under contextual or behavioral factors)
Some systems allow or restrict access based on time of day or user behavior patterns.
Examples:
- Only allowing logins during business hours.
- Blocking logins at unusual times or patterns.
Although not an official “factor” category in older models, time is now part of adaptive or risk-based authentication in modern systems.
🔐 Common MFA Methods
| MFA Method | Description | Factor(s) |
|---|---|---|
| Password + Token | User enters password and a one-time code from an app | Knowledge + Possession |
| Smart Card + PIN | User inserts smart card and enters a PIN | Possession + Knowledge |
| Fingerprint + Password | User enters password and scans fingerprint | Knowledge + Inherence |
| Password + Security Key | User enters password and connects USB key | Knowledge + Possession |
🧠 Understanding MFA Components (Exam Key Points)
Biometrics
- Use unique biological traits for authentication.
- Considered an inherence factor.
- Must balance accuracy (false acceptance/rejection rates) and user convenience.
Tokens
- Can be hardware or software.
- Generate or deliver one-time passcodes (OTPs).
- Example: Authenticator apps, SMS codes, or physical tokens.
Security Keys
- Physical devices (usually USB or NFC) used for authentication.
- Follow standards like FIDO2 or U2F (Universal 2nd Factor).
- Provide strong resistance against phishing and replay attacks.
⚙️ MFA Implementation in IT Environments
In real IT systems, MFA can be applied to:
- Corporate networks – Users authenticate with smart cards or tokens.
- Cloud services – MFA required for admin accounts (e.g., Microsoft 365, AWS).
- VPNs – MFA adds an extra layer before connecting to internal resources.
- Remote access – MFA prevents unauthorized logins from outside the company.
MFA ensures identity verification before granting access to sensitive systems, reducing the risk of account compromise.
📋 Exam Tips & Key Terms Summary
| Term | Meaning |
|---|---|
| MFA | Authentication using two or more different factor types. |
| Biometric Authentication | Uses physical traits (inherence factor). |
| Token | Physical or digital object that generates or stores access codes. |
| Security Key | Hardware device used for strong authentication (FIDO2/U2F). |
| Knowledge Factor | Something the user knows (password, PIN). |
| Possession Factor | Something the user has (token, phone, key). |
| Inherence Factor | Something the user is (fingerprint, face). |
| Location Factor | Somewhere the user is (IP, GPS, network). |
🏁 Summary
Multi-Factor Authentication (MFA) strengthens security by requiring users to prove their identity using multiple independent factors.
Each factor type—knowledge, possession, inherence, and location—adds a new layer of protection, making it much harder for attackers to impersonate a legitimate user.
For the CompTIA Security+ SY0-701 exam, remember:
- MFA = Two or more different factor types.
- Know which factor category each method belongs to.
- Understand examples of biometrics, tokens, and security keys.
- Recognize how MFA is implemented in real IT environments (VPN, cloud, admin logins).
