What Is MFA? Multi-Factor Authentication Explained | AP Cybersecurity

AP Cybersecurity Topics › Multi-Factor Authentication

Unit 1 • Topic 1.2 • Suspicious Website Logins

What Is Multi-Factor Authentication (MFA)? Factors, Examples & Limits

Multi-factor authentication (MFA) requires two or more independent factors to log in, so a stolen password alone is not enough. It is the single most effective upgrade to a login, but it is not unbreakable.

The three factor categories
Why MFA still has limits
Real-world example
Key terms
Match it up
Check for Understanding
FAQ

3factor categories

Knowpassword or PIN

Have / Aredevice or biometric

True MFA combines factors from different categories.

The three factor categories

MFA combines factors from different categories: something you know (a password or PIN), something you have (a phone, security key, or authenticator app), and something you are (a fingerprint or face).

The strength comes from using different categories. Two passwords are not MFA, because both are 'something you know.' A password plus an app code is MFA, because it mixes 'know' and 'have.'

Scenario

A site asks for a password and then a second password as a 'security question.' Is this true MFA?

Reveal answer

No. Both are 'something you know.' True MFA combines different factor categories, such as a password plus a device-based code.

Exam tip

If the two factors come from the same category, it is not multi-factor. Check that the categories differ (know, have, are).

Why MFA still has limits

MFA stops attackers who only have your password. But a one-time passcode is a credential too. If a social engineer convinces you to read it aloud or type it into a fake site, they can use it before it expires.

This connects back to social engineering: the framework lists a one-time passcode as a stealable credential (EK 1.1.C.2). MFA raises the bar; human verification habits still matter.

Scenario

An attacker has a user's password and calls pretending to be IT, asking for the texted code. The user reads it aloud. Does MFA help?

Reveal answer

Not in this case. The user handed over the second factor. MFA defeats a stolen password alone, but not a user who shares the one-time code.

Real-world example

The 2022 Uber breach

An attacker who already had an employee's password sent repeated MFA prompts and then posed as IT to get one approved (MFA fatigue), gaining access even though MFA was enabled.

MFA is strong, but a socially engineered approval defeats it.

Key Terms

Multi-factor authentication	Two or more independent factors from different categories.
Factor	A category of proof: something you know, have, or are.
One-time passcode	A short single-use code that counts as a credential, so never share it.
Authenticator app	An app that generates time-based codes as a have factor.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.

Term

Definition

All matched. Nice work.

Common Mistakes

Calling two passwords 'MFA'

Two factors from the same category (both 'know') is not multi-factor. The categories must differ.

Believing MFA stops all attacks

A phished one-time code can still defeat MFA. It is strong, not absolute.

Confusing a one-time code with 'not a credential'

A one-time passcode is a credential. Never share it.

Thinking biometrics are flawless

'Something you are' is strong but can be spoofed; it is still best combined with another factor.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.

Question 1

Which combination is true multi-factor authentication?

A. A password ('know') plus an app code ('have') mixes categories, so it is MFA. The others use a single category.

Question 2

The three authentication factor categories are best described as:

B. Authentication factors are something you know, something you have, and something you are.

Question 3

Which statements are true? I. A one-time passcode is a credential. II. Two passwords count as MFA. III. MFA blocks an attacker who only has your password.

B. I and III are true. II is false because two passwords are the same factor category.

Question 4 Predict first

An attacker steals a password but the account uses an authenticator app the attacker cannot access. What happens?

C. MFA blocks access because the attacker lacks the second factor.

Question 5 Predict first

Which scenario shows MFA being defeated despite being enabled?

A. Sharing the one-time code hands over the second factor, defeating MFA through social engineering.

Question 6

Why is a fingerprint plus a password considered multi-factor?

D. A fingerprint is 'something you are' and a password is 'something you know,' so the categories differ.

Frequently Asked Questions

MFA requires two or more independent factors to log in, drawn from different categories (something you know, have, or are), so a stolen password alone is not enough.

No. Two passwords are both 'something you know.' True MFA combines factors from different categories.

Yes, if a user is tricked into sharing a one-time code, since that code is itself a credential. MFA still blocks attackers who only have the password.

← PreviousStrengthening Authentication Next →Public Wi-Fi Dangers

Keep studying

All Topics Unit 1 Study Guide Practice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]