Multi-Factor Authentication (MFA) requires users to provide two or more verification factors from different categories before gaining access. The three categories are knowledge (passwords), possession (tokens, phones), and inherence (biometrics). Using two passwords is not MFA because both are knowledge factors.
Common MFA implementations include password plus SMS code, password plus authenticator app, smart card plus PIN, or biometric plus hardware token. Each combination offers different security and usability tradeoffs. Phishing-resistant MFA using FIDO2 standards provides the strongest protection.
CISSP Relevance
MFA appears in Domain 5 (Identity and Access Management) as a critical control for protecting high-value accounts. Exam questions test understanding of factor categories, implementation methods, and when MFA should be required. Know the weaknesses of SMS-based MFA compared to app-based or hardware solutions.
Implementation guidance is available in CISA’s MFA resources.
Related terms: Authentication, Zero Trust