Multi-Factor Authentication (MFA)
A security mechanism that requires two or more independent credentials to verify a user's identity, combining factors from different categories: knowledge (passwords, PINs), possession (hardware tokens, smartphones), and inherence (fingerprints, facial recognition). MFA significantly reduces the risk of account compromise — Microsoft reports it blocks over 99.9% of automated attacks. It is required by many compliance frameworks including PCI DSS, HIPAA, and NIST 800-63. MFA implementation is a key topic in Security+, CISSP, and cloud security certifications.
Why It Matters
In practice, MFA is critical because passwords alone are no longer sufficient to protect accounts against credential stuffing, phishing, and brute force attacks. Organizations that fail to enforce MFA on privileged accounts and remote access face dramatically higher rates of account compromise and data breaches. The Colonial Pipeline attack in 2021 was traced to a single compromised VPN account without MFA enabled. Attackers are now using MFA fatigue attacks (push notification bombing) and adversary-in-the-middle proxies to bypass weaker MFA implementations. On certification exams such as Security+, CISSP, and CCSP, expect questions about comparing MFA factor types, evaluating push-based versus FIDO2 hardware keys, and understanding compliance requirements that mandate MFA.
Practice this topic
Test your knowledge of Multi-Factor Authentication (MFA) concepts with exam-style practice questions.
Related Access Control terms
Access Control List (ACL)
A list of permissions attached to an object that specifies which users or system processes are granted access to resources and what operations they can perform. ACLs are implemented in routers, firewalls, and operating systems to filter traffic and restrict file access. They can be standard (filtering by source IP only) or extended (filtering by source, destination, port, and protocol). In cybersecurity certifications like CISSP and Security+, understanding ACLs is essential for network security and access management domains.
Authentication
The process of verifying the identity of a user, device, or system before granting access to resources. Authentication typically relies on one or more factors: something you know (password), something you have (token or smart card), or something you are (biometric). Modern systems often combine multiple factors (MFA) to strengthen security. Common authentication protocols include Kerberos, LDAP, OAuth 2.0, and SAML. Authentication is a foundational concept tested across nearly every cybersecurity certification.
Authorization
The process of determining what resources or actions an authenticated user is permitted to access. While authentication verifies identity, authorization enforces permissions based on policies, roles, or attributes. Common models include discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), and attribute-based access control (ABAC). Authorization failures are a leading cause of data breaches, making this a critical topic in CISSP, Security+, and OWASP Top 10 studies.
Single Sign-On (SSO)
An authentication scheme that allows a user to log in with a single set of credentials to access multiple applications and services without re-authenticating. SSO improves user experience and reduces password fatigue, but creates a single point of failure if the identity provider is compromised. Common SSO protocols include SAML 2.0, OAuth 2.0, and OpenID Connect. Enterprise SSO solutions often integrate with Active Directory or cloud identity providers like Okta and Azure AD. SSO is covered in CISSP Domain 5 (Identity and Access Management) and Security+.
Zero Trust
A security model that requires strict identity verification for every person and device attempting to access resources, regardless of whether they are inside or outside the network perimeter. Zero Trust operates on the principle of 'never trust, always verify' and assumes that breaches are inevitable. Key pillars include micro-segmentation, least privilege access, continuous verification, and real-time monitoring. The NIST SP 800-207 framework provides guidance for implementing Zero Trust architectures. This model has become a dominant security strategy and is increasingly tested in CISSP, Security+, and cloud security certifications.
Privilege Escalation
An attack where a user gains elevated access to resources that are normally protected, beyond what their assigned permissions allow. Vertical escalation involves gaining higher-level privileges (e.g., from user to admin), while horizontal escalation means accessing another user's resources at the same privilege level. Common techniques include exploiting misconfigurations, kernel vulnerabilities, weak file permissions, or unpatched software. Privilege escalation is a critical phase in penetration testing and is heavily tested in CEH, OSCP, and PenTest+ certifications.