Domain 4: Security Operations Module 35 of 61

Authentication Methods and MFA

Security+ Domain 4 — Security Operations C — Identity and Response 14–18 minutes

What the Exam Is Really Testing

The single most common mistake candidates make on authentication questions is treating two knowledge factors as MFA. A password and a PIN feel like two layers of security, but they are both "something you know" — and the exam is specifically designed to test whether you fall for that.

Passwords alone are broken. True multi-factor authentication requires factors from different categories — and the exam is designed to catch you confusing two things from the same category as MFA.

Beyond factor categories, expect questions about biometric trade-offs (especially CER), FIDO2/WebAuthn as phishing-resistant authentication, and why SMS-based codes are the weakest widely-used MFA method.

Authentication Factor Categories

Authentication factors fall into distinct categories. True MFA requires factors from at least two different categories.

Something You Know (Knowledge)

  • Passwords and passphrases
  • PINs
  • Security questions
  • Pattern locks

Weaknesses: can be guessed, phished, cracked, or shared. Knowledge factors are the most commonly compromised.

Something You Have (Possession)

  • Smart cards and CAC cards
  • Hardware security keys (YubiKey, FIDO2)
  • Software tokens (authenticator apps)
  • One-time password devices
  • Mobile phone (for SMS codes or push notifications)

Strengths: physical possession is harder to steal remotely. Weaknesses: can be lost, stolen, or cloned (SIM swapping for SMS).

Something You Are (Biometric)

  • Fingerprint
  • Facial recognition
  • Iris/retina scan
  • Voice recognition
  • Palm vein pattern

Strengths: difficult to replicate, always with you. Weaknesses: cannot be changed if compromised, false acceptance/rejection rates, cultural and privacy concerns.

Something You Do (Behavioral)

  • Typing rhythm (keystroke dynamics)
  • Gait analysis
  • Mouse movement patterns
  • Signature dynamics

Somewhere You Are (Location)

  • GPS location
  • IP address geolocation
  • Network proximity (connected to corporate Wi-Fi)

For the exam: MFA = factors from different categories. A password + PIN is NOT MFA (both are knowledge). A password + fingerprint IS MFA (knowledge + biometric).

MFA Implementations

TOTP (Time-Based One-Time Password)

Generates a code that changes every 30 seconds based on a shared secret and the current time. Used by authenticator apps (Google Authenticator, Microsoft Authenticator, Authy).

  • Does not require network connectivity to generate codes
  • More secure than SMS because the code never travels over the network
  • Vulnerable to phishing if the user enters the code on a fake site

HOTP (HMAC-Based One-Time Password)

Generates codes based on a counter rather than time. Each code is valid until used, then the counter increments.

  • Codes do not expire until used
  • Risk: if counter desynchronizes between token and server, authentication fails
  • Less common than TOTP in modern implementations

Push Notifications

The authentication server sends a prompt to the user's registered mobile device. The user approves or denies the login with a single tap.

  • More convenient than typing codes
  • Vulnerable to push fatigue attacks (MFA bombing) where attackers send repeated prompts until the user approves one
  • Modern implementations add number matching (user must enter a specific number shown on the login screen)

SMS-Based Codes

A one-time code sent via text message to the user's phone number.

  • Convenient and widely supported
  • Considered the weakest MFA method
  • Vulnerable to SIM swapping, SS7 interception, and social engineering at mobile carriers
  • NIST has deprecated SMS as a primary MFA method for high-security environments

Passwordless Authentication

FIDO2 and WebAuthn

FIDO2 is an authentication standard that eliminates passwords entirely. It uses public-key cryptography:

  1. The user registers a security key or biometric with the service
  2. A unique key pair is generated (private key stays on the device, public key goes to the server)
  3. During authentication, the device proves possession of the private key without transmitting it

WebAuthn is the web API that enables FIDO2 in browsers. Benefits include:

  • Phishing resistant (keys are bound to the specific website domain)
  • No shared secrets that can be stolen from the server
  • No passwords to guess, crack, or reuse
  • Supported by all major browsers and platforms

Smart Cards and Security Keys

  • Smart cards — Contain a certificate and private key. Used with a PIN to provide two-factor authentication (something you have + something you know). Common in government (CAC/PIV cards).
  • Security keys — USB, NFC, or Bluetooth devices that support FIDO2. Tap or touch to authenticate. No codes to type. Resistant to phishing and man-in-the-middle attacks.

Biometric Considerations

Biometrics involve trade-offs that the exam tests directly:

Error Rates

  • FAR (False Acceptance Rate) — The rate at which the system incorrectly accepts an unauthorized person. Higher FAR = less secure.
  • FRR (False Rejection Rate) — The rate at which the system incorrectly rejects an authorized person. Higher FRR = less usable.
  • CER (Crossover Error Rate) — The point where FAR and FRR are equal. Lower CER = more accurate biometric system. This is the primary metric for comparing biometric systems.

Increasing sensitivity reduces FAR but increases FRR (more secure, less convenient). Decreasing sensitivity reduces FRR but increases FAR (more convenient, less secure).

Password Policies

While the industry moves toward passwordless, passwords remain widespread. Effective password policies include:

  • Minimum length — 12+ characters preferred over complexity requirements
  • Complexity — Mix of character types (but length matters more)
  • History — Prevent reuse of previous passwords
  • Lockout — Account lockout after failed attempts (protects against brute force)
  • Password managers — Generate and store unique, complex passwords for each service. Reduce password reuse risk.

Current guidance (NIST SP 800-63B): prioritize length over complexity, do not force periodic rotation unless compromise is suspected, check passwords against known breached lists.

Pattern Recognition

When you see authentication questions, look for these patterns:

  • Password + PIN = NOT MFA (both are knowledge factors)
  • Password + fingerprint = MFA (knowledge + biometric)
  • Phishing-resistant authentication = FIDO2/WebAuthn with security keys
  • Weakest MFA method = SMS-based codes
  • Comparing biometric systems = look at CER (crossover error rate)
  • Push notification abuse = MFA fatigue/bombing attack
  • Government smart card requirement = CAC/PIV + PIN

Trap Patterns

Watch for these distractors:

  • "Require passwords to change every 30 days" — Current best practice (NIST) discourages forced rotation; it leads to weaker passwords.
  • "Password + security question = MFA" — Both are knowledge factors. This is single-factor authentication with two instances.
  • "Biometrics cannot be compromised" — Biometrics can be spoofed (fake fingerprints, photos for facial recognition) and cannot be changed if compromised.
  • "SMS is sufficient for all MFA needs" — SMS is vulnerable to SIM swapping and interception. It is the weakest widely-used MFA method.

Scenario Practice

Question 1

An organization requires phishing-resistant MFA for accessing its financial systems. Users have been falling for sophisticated phishing pages that capture both passwords and TOTP codes.

What should be implemented?

A. Longer TOTP code validity windows
B. SMS-based codes instead of TOTP
C. FIDO2 security keys with WebAuthn
D. More complex password requirements

Answer & reasoning

Correct: C

FIDO2/WebAuthn security keys are phishing resistant because the cryptographic authentication is bound to the legitimate website domain. Even if a user visits a fake site, the key will not authenticate because the domain does not match.

TOTP codes and SMS codes can both be phished through fake login pages. Longer TOTP windows increase vulnerability. Password complexity does not address phishing.

Question 2

A user authenticates with a password and a PIN. The security team claims this is multi-factor authentication.

Is this correct?

A. Yes, because two different credentials are required
B. Yes, because the PIN adds an additional layer of security
C. No, because both are knowledge factors from the same category
D. No, because PINs are not considered valid authentication

Answer & reasoning

Correct: C

Both passwords and PINs are "something you know" — knowledge factors. True MFA requires factors from at least two different categories (e.g., knowledge + possession, or knowledge + biometric). Two knowledge factors is single-factor authentication with two instances.

Question 3

An organization is comparing two biometric systems for physical access control. System A has a CER of 2% and System B has a CER of 5%.

Which system is more accurate?

A. System B, because a higher CER indicates better precision
B. System A, because a lower CER indicates better overall accuracy
C. Both are equally accurate since CER only measures speed
D. Neither, because CER is not relevant to biometric accuracy

Answer & reasoning

Correct: B

CER (Crossover Error Rate) is the point where the false acceptance rate equals the false rejection rate. A lower CER indicates a more accurate biometric system overall. System A at 2% outperforms System B at 5%.

Key Takeaway

Authentication strength depends on using factors from different categories. The exam tests whether you know the difference between two things you know and two different types of proof.

Count factor categories, not credentials. Check whether the method resists phishing. Consider whether the factor can be remotely stolen. Weigh security against usability. The future is passwordless, and the exam wants you to understand both why and what replaces passwords.

Next Module Module 36: Automation and Orchestration