The Three Authentication Factors
Authentication factors are categories of proof that verify your identity. MFA works because compromising one factor category does not compromise another — a stolen password doesn't give an attacker your fingerprint, and stealing your phone doesn't reveal your password.
MFA Types — TOTP, HOTP, Push, and Hardware Tokens
| Type | How It Works | Strength | Exam Key Point |
|---|---|---|---|
| TOTP | Time-based one-time password — generates a 6-digit code every 30 seconds using a shared secret + current time. Google Authenticator, Authy. | Strong | Code expires in 30 seconds — replay attacks fail |
| HOTP | HMAC-based one-time password — generates a code based on a counter that increments with each use. Older RSA SecurID tokens use this. | Moderate | Counter-based, not time-based — codes don't expire automatically |
| Push Notification | App on your phone receives a push asking "Approve this login?" — you tap Approve or Deny. Microsoft Authenticator, Duo. | Strong | Vulnerable to MFA fatigue attacks (push bombing) |
| Hardware Token | Physical device (YubiKey, RSA SecurID) generates codes or uses USB/NFC to authenticate. Cannot be phished remotely. | Very Strong | Most phishing-resistant MFA — code never entered manually |
| SMS OTP | One-time code sent via text message. Weakest MFA option — susceptible to SIM swapping. | Weak | Better than no MFA, but weakest option on exam questions |
| FIDO2 / Passkeys | Cryptographic key pair — private key stays on device, public key with server. No password transmitted. WebAuthn standard. | Strongest | Phishing-resistant by design — no shared secret to steal |
FIDO2 and Passkeys — the Future of Authentication
FIDO2 (Fast IDentity Online 2) is the authentication standard behind passkeys. Instead of transmitting a password or OTP code, FIDO2 uses public-key cryptography: your device holds a private key that never leaves it, and the server holds the corresponding public key. When you authenticate, your device signs a challenge with the private key — the server verifies the signature without ever seeing the private key or anything that could be stolen and replayed.
This makes FIDO2 inherently phishing-resistant. Even if an attacker tricks you into visiting a fake login page, there's no password or code to capture — the private key never leaves your device, and the cryptographic challenge is domain-specific (a fake site can't use the signature generated for the real site). The exam doesn't test FIDO2 implementation details deeply, but you should know it's the most phishing-resistant authentication method available.
MFA Fatigue Attacks — Push Bombing
MFA fatigue (push bombing) is an attack where an adversary who has stolen valid credentials repeatedly sends MFA push notifications to the victim's phone, hoping the victim approves one out of frustration, confusion, or distraction. The Uber breach in 2022 succeeded largely through MFA fatigue — the attacker sent continuous Duo pushes until the victim approved one.
Mitigations: Number matching (the push shows a number you must match to a number on screen — prevents blind approval), phishing-resistant MFA (FIDO2/hardware tokens eliminate push notifications entirely), rate limiting push notifications, and user awareness training.
Smart Cards and PIV
Smart cards combine something you have (the physical card with an embedded chip) and something you know (the PIN to unlock it), making them inherently two-factor. The US government's PIV (Personal Identity Verification) card is a smart card standard used for physical and logical access to federal facilities and systems. CAC (Common Access Card) is the DoD equivalent. Smart cards are covered on Security+ because they appear in enterprise and government access control scenarios — the exam expects you to know that a smart card requires a PIN to activate, making it two-factor by itself.
MFA requires factors from different categories. A password plus a security question is not MFA — both are knowledge factors. A password plus an authenticator app code is MFA — knowledge + possession. The exam will test this distinction with answer choices designed to trip up candidates who confuse "two steps" with "two factors."
Where MFA Fits in Zero Trust and IAM
MFA is a foundational control in Zero Trust architecture — "never trust, always verify" means every authentication attempt must be verified with strong factors regardless of network location. Even users inside the corporate network must MFA. Zero Trust policies often add additional context — if a user's location, device posture, or access pattern is unusual, step-up authentication can require a stronger second factor or re-authentication. MFA also directly satisfies compliance requirements: PCI-DSS requires MFA for remote access to the cardholder data environment, and HIPAA guidance recommends MFA for systems storing PHI.