5.6.4. Multifactor Authentication (MFA)

💡 First Principle: MFA requires two or more different types of authentication factors. Recall from Phase 1: something you know, something you have, something you are, and somewhere you are. MFA defeats credential theft because an attacker who steals your password still can't log in without your physical token or biometric.

MFA implementations:

• Hardware token — a physical device (YubiKey, RSA SecurID) that generates one-time codes or serves as a FIDO2 authentication device. Most phishing-resistant.
• Software token / Authenticator app — an app (Google Authenticator, Microsoft Authenticator) generating time-based one-time passwords (TOTP). More convenient than hardware tokens, vulnerable to sophisticated phishing.
• SMS/phone-based — one-time codes sent via text message or voice call. Least secure MFA method due to SIM swapping, SS7 attacks, and social engineering of carriers. Better than no MFA, but worse than other methods.
• Push notification — user receives a push to their registered device and approves/denies the login. Vulnerable to MFA fatigue attacks (bombarding the user with push requests until they approve one out of frustration). Modern implementations add number matching — the user must enter a number displayed on the login screen into their authenticator app, defeating fatigue attacks because the attacker doesn't see the number.
• Biometrics — fingerprint, facial recognition, iris scan. Something you are. Convenient but cannot be changed if compromised (you can't get new fingerprints). Biometric data requires especially careful storage — if a password database is breached, you change passwords; if biometric templates are breached, the factor is permanently compromised.

Passwordless authentication — replaces passwords entirely with stronger factors (biometrics + device certificate, FIDO2 hardware key). Eliminates the weakest factor (passwords) from the equation.

⚠️ Exam Trap: Two passwords is NOT MFA — both are "something you know" (same factor category). A password + security question is also not MFA. True MFA requires different factor categories: password (know) + token (have), or fingerprint (are) + PIN (know).