← Concepts
Security OperationsSY0-701 · Task 4.6

Multifactor authentication (MFA) — SY0-701

Master MFA for Security+ SY0-701: the three factor types, authenticator assurance levels, and the two-step vs. two-factor exam trap.

WHAT IT IS

Multifactor authentication (MFA) is an authentication system that requires more than one distinct type of authentication factor for successful authentication. MFA can be performed using a single multi-factor authenticator or by combining single-factor authenticators that provide different types of factors. (Source: NIST SP 800-63-4, via CSRC Glossary.)

The three recognized authentication factor types are:

  • Something you know — a memorized secret, such as a password or PIN. A memorized secret is defined as a character string that is intended to be memorized or memorable by the subscriber to permit the claimant to demonstrate something they know. (Source: NIST SP 800-63-4.)
  • Something you have — something the claimant possesses and controls, typically a cryptographic module or token, used to authenticate the claimant's identity. (Source: NIST SP 800-53 Rev. 5.)
  • Something you are — a measurable physical characteristic or personal behavioral trait used to verify the claimed identity of an individual, such as a fingerprint or facial image. (Source: CNSSI 4009-2015, via CSRC Glossary.)

Mental model

Think of each factor type as a different kind of evidence, not just a different piece of evidence. A bank vault that requires two keys is not MFA — it requires two instances of the same factor type (something you have). True MFA means the second challenge cannot be defeated by the same attack that defeats the first. An attacker who steals a password still must separately compromise a physical device or a biometric.

When to use it

The exam frequently asks you to distinguish MFA from simpler authentication schemes. Use this comparison to anchor your reasoning:

SchemeFactor types usedExampleCounts as MFA?
Single-factor authenticationOne type onlyPassword aloneNo
Two-step verification (same factor)One type, presented twicePassword + security questionNo
Two-factor authentication (2FA)Two distinct typesPassword + OTP deviceYes
MFA (three or more factors)Three distinct typesPassword + smart card + fingerprintYes

The defining criterion is distinct factor types, not the number of individual credentials presented. NIST SP 800-63-4 states that MFA requires more than one distinct type of authentication factor — combining two items from the same category does not satisfy this requirement.

COMMON MISCONCEPTION

The trap: Candidates assume that any two-step process qualifies as MFA.

A security question asked after a password is a second step, but both steps belong to the same factor type — something you know. NIST SP 800-63-4 requires distinct types; presenting two memorized secrets is still single-factor authentication. Similarly, entering a password and then a second password does not constitute MFA regardless of how many prompts appear on screen.

A related trap: a multi-factor authenticator (for example, a hardware token that requires a PIN before it generates a code) counts as MFA even though it is a single physical device, because it combines something you know (the PIN) with something you have (the device). NIST SP 800-63B explicitly recognizes that MFA can be achieved with a single multi-factor authenticator.

How it shows up on the exam

The cognitive target here is application — given a described authentication scheme, can you correctly classify whether it satisfies MFA?

Candidates often confuse number of steps with number of factor types. When a scenario describes multiple prompts, the task is to identify the factor category each prompt belongs to, not simply count the prompts.

Scenarios may also test Authenticator Assurance Levels (AAL). NIST SP 800-63-3 defines three tiers: AAL1 (some confidence), AAL2 (high confidence), and AAL3 (very high confidence). Both AAL2 and AAL3 require the use of more than one authentication factor type, while AAL1 does not. A scenario asking which control provides "high confidence" or "very high confidence" in identity verification is pointing at MFA-based assurance levels.

Signal phrases to watch for:

  • "second factor" or "additional factor" — evaluate whether the second element is from a different factor type
  • "step-up authentication" — additional factor demanded when risk increases mid-session
  • "something you know and something you know" — this is the same-factor trap, not MFA
  • "hardware token plus PIN" — a multi-factor authenticator; counts as MFA even as a single device

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.