Home > Glossary > Certified in Cybersecurity > Multi-Factor Authentication (MFA)

📖 What is Multi-Factor Authentication (MFA)?

A security mechanism that requires two or more different types of evidence (factors) to verify a user's identity.

🥋 Sensei Says:

"Using two passwords is NOT MFA. It must be two DIFFERENT factors (e.g., password + SMS code)."

📚 Certification: Certified in Cybersecurity (CC)

🔑 What are the Key Concepts of Multi-Factor Authentication (MFA)?

▸ MFA significantly reduces the risk of account compromise by adding layers of security beyond just a password.
▸ The three main authentication factors are: something you know (password), something you have (token), and something you are (biometrics).
▸ Different MFA methods include SMS codes, authenticator apps (TOTP), hardware tokens (U2F/FIDO2), and push notifications.
▸ Implementing MFA is a key control for compliance with many security frameworks and regulations like NIST and PCI DSS.
▸ MFA can be applied to various access points, including VPNs, cloud applications, and local workstations.

🎯 How does Multi-Factor Authentication (MFA) appear on the CC Exam?

You may be asked to identify the most effective method to protect privileged accounts from compromise, given a scenario describing a recent phishing attack.

A scenario might describe a company experiencing repeated brute-force attacks against its VPN. Determine which security measure would best mitigate this risk.

Expect questions about selecting the appropriate MFA method based on factors like cost, security requirements, and user experience.

❓ Frequently Asked Questions

What's the difference between one-time passwords (OTPs) and MFA?

OTPs are a *type* of MFA, specifically using the 'something you have' factor. MFA is the broader concept of using multiple factors for authentication, which can include OTPs, biometrics, or security keys.

Can MFA protect against all types of attacks?

No, MFA isn't a silver bullet. It's highly effective against password-based attacks, but it doesn't protect against malware or social engineering if a user is tricked into providing their MFA code.

What are the considerations when choosing an MFA solution?

Consider usability, cost, integration with existing systems, and the level of security provided. Authenticator apps are generally more secure than SMS-based MFA due to SIM swapping risks.

Related Terms from Certified in Cybersecurity

Asset Zero Trust Architecture VPN (Virtual Private Network) Warm Site Availability Authentication

📝 Related Study Guides

Study Guide 8 min read

ISC2 CC Certification Guide: Your Free Entry into Cyber

The ISC2 Certified in Cybersecurity (CC) is a free, entry-level certification designed for beginners. It covers five core domains—Security Principles, BCP/DR, Access Control, Network Security, and Security Operations—via a 100-question exam. It's the ideal starting point for career changers to build a foundation without financial barriers.

Exam Tips 8 min read

ISC2 CC Exam Domains: What You Need to Know to Pass

The ISC2 CC exam consists of five domains: Security Principles, Business Continuity (BC), Disaster Recovery (DR), and Incident Response (IR), Access Controls, Network Security, and Security Operations. To pass, you must master the CIA Triad and security governance, while prioritizing high-weight domains through targeted practice and domain-specific analytics.

Comparison 8 min read

CISSP vs CISM: Which Certification Should You Pursue in 2026?

Choose CISSP if you want broad technical security expertise across eight domains, including cryptography, network security, and software development. Choose CISM if you're focused on information security management, governance, and risk management from a leadership perspective. CISSP is ideal for hands-on security architects, while CISM is designed for security managers and directors.