Module 01 — Introduction

Multi-Factor Authentication

MFA is a security mechanism that requires users to verify their identity using two or more independent authentication factors from different categories before gaining access to a system or resource.

Core Definition

MFA requires verification from multiple independent categories of credentials — not just multiple credentials from the same category. The independence of factors is what creates security depth.

The AAA Framework

MFA operates within the broader AAA security framework:

🔍

Authentication

Verifying the claimed identity — "Who are you?"

🔑

Authorization

Determining what access is permitted — "What can you do?"

📋

Accounting

Recording actions for audit and compliance — "What did you do?"

Why Passwords Alone Fail

🎣

Phishing

Deceptive sites or emails capture credentials without the user's awareness.

💾

Data Breaches

Credential databases are stolen and sold on dark web markets.

🔄

Password Reuse

One breach compromises multiple accounts using the same credentials.

🤖

Brute Force

Automated tools test millions of password combinations per second.

📱

Social Engineering

Attackers manipulate people into revealing credentials directly.

👀

Shoulder Surfing

Passwords observed physically in public spaces or via camera.

Learning Objectives

After completing this lesson, you will be able to:

Distinguish the three primary authentication factor categories
Compare specific MFA mechanisms (TOTP, FIDO2, push notifications)
Differentiate true MFA from two-step verification
Analyze common attack vectors and identify which MFA methods resist them
Apply the AAA framework to authentication design decisions

Module 02 — Authentication Factors

The Three Factor Categories

Authentication factors fall into three distinct categories based on their nature. True MFA requires factors from at least two different categories.

Type 1

Knowledge — Something You Know

▼

Knowledge factors rely on information only the legitimate user should possess. They are the most widely deployed factor type but also the most frequently compromised.

Examples

Passwords

Alphanumeric strings; most common but most frequently stolen or guessed.

PINs

Short numeric codes; faster to enter but lower entropy than passwords.

Security Questions

Answers to personal questions; often guessable via social media research.

Passphrases

Long sequences of random words; high entropy, easier to remember than random strings.

Strengths

No physical token required — users always have their memory
Easy to change if compromised
Universal support across all platforms
Zero hardware cost

Vulnerabilities

Phishing and social engineering attacks
Brute force and dictionary attacks
Keyloggers and screen capture malware
Database breaches expose hashed credentials
Credential stuffing using leaked password lists

Type 2

Possession — Something You Have

▼

Possession factors require the user to physically have a device or token. Unlike knowledge factors, they cannot be stolen remotely without also compromising the physical object.

Examples

Hardware Security Keys

YubiKey and similar devices using FIDO2/WebAuthn. Phishing-resistant by design.

TOTP Authenticator Apps

Google Authenticator, Authy, Microsoft Authenticator — generate time-based codes.

SMS OTP

One-time codes via text message. Convenient but vulnerable to SIM swapping.

Smart Cards / PIV

PKI certificates stored on chip cards; widely used in government and enterprise.

Push Notifications

Approve/deny prompts sent to a registered mobile device via app.

Strengths

Cannot be stolen without physical access to the device
Hardware keys are phishing-resistant (domain-bound)
TOTP codes are short-lived (30-second window)
Widely supported as a second factor

Vulnerabilities

Physical loss or theft of the device
SMS OTP vulnerable to SIM swapping attacks
TOTP susceptible to real-time phishing (attacker relays code immediately)
Push notification fatigue attacks (MFA bombing)
Backup code theft if stored insecurely

Type 3

Inherence — Something You Are

▼

Inherence factors are based on the user's unique biological or behavioral characteristics. Also called biometrics, these factors leverage traits that are difficult to replicate or transfer.

Examples

Fingerprint

Widely deployed on smartphones. Extremely fast and convenient.

Face Recognition

2D/3D facial mapping; Face ID uses IR depth sensing for liveness detection.

Iris / Retina Scan

Highly accurate; complex vasculature unique to each individual.

Voice Print

Voice pattern analysis; behavioral and physiological factors combined.

Strengths

Cannot be forgotten or lost
Difficult to transfer or share with others
Fast authentication experience for users
Some biometrics are extremely difficult to spoof

Vulnerabilities

Cannot be "changed" if compromised (unlike passwords)
Fingerprints can be lifted from surfaces and replicated
Face recognition susceptible to deepfake attacks in some implementations
Environmental factors (injury, illness) affect recognition accuracy
False positive/negative rates vary by implementation quality
Privacy and regulatory concerns (BIPA, GDPR)

Module 03 — Advanced Authentication

Advanced & Adaptive Factors

Beyond the three core categories, modern authentication systems layer additional context signals to create risk-aware, adaptive security.

Location-Based Authentication

Factor Category

Location is sometimes classified as a fourth factor: Somewhere You Are. It uses geolocation signals as a context-based authentication layer.

Location Signals Used

GPS coordinates — device-reported location (spoofable)
IP geolocation — approximate location from network address
Network context — corporate VPN, trusted Wi-Fi, known office subnet
Geo-velocity — impossible travel detection (login from NYC then Tokyo 20 min later)
Country allow/block lists — restrict access from high-risk regions

Limitation

Location alone is not a reliable primary factor — GPS can be spoofed, VPNs can simulate trusted locations, and legitimate users travel. Location works best as a risk signal that triggers step-up authentication rather than a hard gate.

Behavioral Biometrics

Behavioral biometrics continuously analyze how a user interacts with a device, creating a dynamic authentication signal that doesn't require explicit action from the user.

⌨️

Keystroke Dynamics

Typing rhythm, dwell time, flight time between keys — creates a unique typing fingerprint.

🖱️

Mouse Movement

Cursor path patterns, click speed, scroll behavior — subtle but statistically distinctive.

📲

Touch Patterns

Swipe speed, pressure, finger angle — unique to each individual's touch behavior.

🧭

Navigation Behavior

How the user navigates the application — page sequence, dwell times, interaction patterns.

Adaptive / Risk-Based MFA

Adaptive MFA dynamically adjusts authentication requirements based on real-time risk assessment. Low-risk access may require only one factor; high-risk signals trigger additional verification steps.

Risk Signals Evaluated

Device Trust

Is this a registered, managed, compliant device? MDM enrollment status?

Network Context

Corporate intranet vs. public Wi-Fi vs. Tor exit node?

Login Time

Is this access attempt within normal working hours for this user?

Threat Intelligence

Is the IP address listed in threat feeds? Known bad actor?

Resource Sensitivity

Accessing payroll data vs. viewing public announcements — different risk levels.

Behavioral Anomaly

Does this session deviate from the user's established behavioral baseline?

Use Case

Zero Trust architectures rely heavily on adaptive MFA — no user or device is trusted by default, and risk is continuously re-evaluated throughout a session ("never trust, always verify").

Module 04 — MFA Mechanisms

MFA Mechanisms & Protocols

Different MFA implementations offer varying levels of security, usability, and phishing resistance. Understanding the trade-offs helps in selecting the right mechanism for a given context.

Mechanism	Type	Phishing Resistant	Offline	Use Case
TOTP	Possession	⚠ Partial	✓ Yes	Consumer accounts, apps
FIDO2 / WebAuthn	Possession	✓ Yes	✓ Yes	Enterprise, high-security web apps
Push Notification	Possession	⚠ Partial	✗ No	Enterprise SSO, workforce apps
SMS OTP	Possession	⚠ Partial	✗ No	Consumer fallback (weak)
Smart Card / PIV	Possession	✓ Yes	✓ Yes	Government, regulated industries
Passkeys	Possession + Inherence	✓ Yes	✓ Yes	Passwordless future, modern apps

TOTP — Time-Based One-Time Passwords

TOTP (RFC 6238) generates a short-lived numeric code using a shared secret key and the current Unix timestamp. Codes are valid for a 30-second window.

Server generates secret

→

Secret stored in authenticator app

→

App computes HMAC(secret, timestamp)

→

6-digit code displayed

→

Server verifies independently

TOTP Limitation

TOTP codes are vulnerable to real-time phishing: an attacker can proxy the code to the legitimate site within the 30-second window. TOTP does NOT provide cryptographic binding to the origin domain.

FIDO2 / WebAuthn

FIDO2 uses public-key cryptography. During registration, the authenticator generates a key pair; the private key never leaves the device. During authentication, the authenticator signs a challenge from the server. The signature is domain-bound, making phishing cryptographically impossible.

Server sends challenge + origin

→

Authenticator verifies origin

→

Private key signs challenge

→

Signature sent to server

→

Server verifies with public key

Why FIDO2 is Phishing-Resistant

The credential is cryptographically bound to the exact origin domain (e.g., bank.com). A phishing site at b4nk.com would receive a signature that fails verification — the attack is structurally impossible, not just detected.

Module 05 — Comparison

True MFA vs Two-Step Verification

These terms are often used interchangeably, but they describe meaningfully different security architectures. The distinction matters for compliance and threat modeling.

Common Misconception

Two sequential password prompts (password → security question) is NOT MFA — it is two-step verification using two factors from the same category (Knowledge + Knowledge). True MFA requires factors from at least two different categories.

✓ True MFA

Password (Knowledge) + YubiKey (Possession)
PIN (Knowledge) + Fingerprint (Inherence)
Password (Knowledge) + TOTP App (Possession)
Smart Card (Possession) + PIN (Knowledge)
Password + Push notification + Face ID

✗ NOT True MFA

Password + Security question (K + K)
Password + Secret word (K + K)
Fingerprint + Face scan (I + I)
PIN + Password (K + K)
Two different passwords (K + K)

Factor Comparison Matrix

Factor Type	Revocable	Remote Theft	User Friction	Offline	Phishing Resistant	Scalable
Knowledge	✓	High	Low	✓	✗	✓
Possession (TOTP)	✓	Med	Med	✓	⚠	✓
Possession (FIDO2)	✓	Low	Low	✓	✓	Med
Inherence	✗	Low	Low	✓	⚠	Med
Location	✓	Med	Low	✗	⚠	✓

Activity 01 — Drag & Drop

Authentication Factor Sorter

Drag each authentication method to its correct factor category. You must place all chips before checking your answers.

DRAG FROM HERE:

Password

YubiKey

Fingerprint

Authenticator App

Iris Scan

Smart Card

Face ID

Security Question

SMS Code

Voice Print

Passphrase

🧠 Knowledge

🔑 Possession

👁 Inherence

Activity 02 — Threat Analysis

Attack Scenario Simulator

Analyze four real-world attack scenarios. For each threat, review how different MFA mechanisms defend against it.

Credential Stuffing

SIM Swapping

Real-Time Phishing

MFA Fatigue

🎯 Attack Vector: Credential Stuffing

Attackers use automated tools to test stolen username/password combinations (from previous breaches) against target services. Billions of credentials from past breaches are available on dark web markets.

How It Works

Attacker obtains a breach database → extracts email/password pairs → runs automated login script against target → gains access to accounts where users reused passwords from the breached service.

Defense Effectiveness

No MFA

5%

SMS OTP

75%

TOTP App

90%

FIDO2 Hardware Key

99%

Key Insight

Any MFA drastically reduces credential stuffing risk because attackers only have username/password — they cannot satisfy the second factor at scale. FIDO2 provides near-complete protection.

📱 Attack Vector: SIM Swapping

Attackers socially engineer mobile carriers into transferring a victim's phone number to an attacker-controlled SIM card. All SMS and calls — including OTP codes — are redirected to the attacker.

How It Works

Attacker researches victim's carrier and personal info → calls carrier support impersonating victim → convinces rep to transfer number → receives all SMS OTPs for password resets and authentication.

Defense Effectiveness

SMS OTP

0%

TOTP App

98%

Push Notification

90%

FIDO2 Hardware Key

99%

Critical Takeaway

SMS OTP provides zero protection against SIM swapping. NIST SP 800-63B explicitly discourages SMS OTP for high-assurance applications. Organizations should migrate to app-based or hardware authentication.

🎣 Attack Vector: Real-Time Phishing (AiTM)

Adversary-in-the-Middle (AiTM) attacks use a reverse proxy to sit between the victim and the legitimate service, relaying credentials and OTP codes in real time within the valid time window.

How It Works

Victim clicks phishing link → arrives at convincing fake site (Evilginx2 proxy) → enters credentials and TOTP code → proxy relays everything to real site in <30 seconds → attacker logs in with stolen session token.

Defense Effectiveness

SMS OTP

0%

TOTP App

10%

Push Notification

40%

FIDO2 Hardware Key

99%

Why Only FIDO2 Blocks AiTM

FIDO2 cryptographically binds the authentication to the origin domain. A proxy at evil-bank.com cannot forge a valid signature for bank.com — the domain mismatch causes authentication to fail structurally.

😴 Attack Vector: MFA Fatigue (Push Bombing)

Attackers who have stolen credentials send a flood of push authentication requests to the victim's device. Users who are confused, tired, or conditioned to approve prompts may accidentally (or frustratedly) approve a malicious request.

How It Works

Attacker obtains username/password → sends 50+ push approval requests in rapid succession → victim approves one push to make the flood stop → attacker gains access. Uber breach (2022) used this technique combined with social engineering.

Defense Effectiveness

Standard Push Notification

20%

Number Matching Push

90%

TOTP App

95%

FIDO2 Hardware Key

99%

Mitigation: Number Matching

Microsoft, Okta, and Duo now support number matching — the login screen displays a 2-digit number that the user must select in the push app. This prevents mindless approval and defeats push bombing attacks.

Reference — Glossary

Key Terms

Essential vocabulary for MFA concepts, standards, and threat terminology.

AAA Framework

Authentication, Authorization, and Accounting — the three pillars of access control. Authentication verifies identity, Authorization determines permissions, and Accounting logs activity for audit and compliance.

Credential Stuffing

An automated attack that uses username/password pairs stolen from previous data breaches to gain unauthorized access to accounts on other services, exploiting password reuse behavior.

SIM Swapping

A social engineering attack where an attacker convinces a mobile carrier to transfer a victim's phone number to an attacker-controlled SIM card, intercepting all SMS messages and calls including OTP codes.

Out-of-Band Authentication

Authentication that uses a separate, independent channel from the primary login channel (e.g., SMS to a phone while logging in via a browser). The separate channel prevents certain man-in-the-middle attacks.

Adaptive MFA

A risk-based authentication approach that dynamically adjusts the level of authentication required based on contextual signals such as device trust, location, time of day, and behavioral anomalies.

TOTP

Time-Based One-Time Password (RFC 6238) — a temporary code generated by computing an HMAC of a shared secret and the current Unix timestamp, producing a new code every 30 seconds.

FIDO2 / WebAuthn

An open authentication standard using public-key cryptography. The authenticator generates a key pair; the private key never leaves the device. Authentication is domain-bound, making phishing structurally impossible.

MFA Fatigue (Push Bombing)

An attack where an adversary who has stolen credentials sends repeated push authentication requests to overwhelm the victim, hoping the victim will approve a request to stop the flood of notifications.

Geo-Velocity

An anomaly detection technique that flags authentication attempts from geographically impossible locations given time constraints — for example, a login from London followed 10 minutes later by a login attempt from Tokyo.

Assessment

Knowledge Check

Test your understanding of MFA concepts. Select the best answer for each question.

1. A user logs in with a password and then answers a secret question. This is an example of:

True MFA because two steps are required MFA because two different credentials are used Two-step verification, NOT true MFA (both are Knowledge factors) Inherence-based authentication

2. Which MFA mechanism is considered most resistant to real-time phishing (AiTM) attacks?

TOTP authenticator app FIDO2 hardware security key SMS one-time password Push notification approval

3. A fingerprint scanner is categorized under which authentication factor type?

Knowledge — Something You Know Possession — Something You Have Location — Somewhere You Are Inherence — Something You Are

4. In the AAA framework, which function specifically records user actions for compliance auditing?

Accounting Authentication Authorization Attestation

5. An MFA fatigue attack (push bombing) is most effectively defeated by:

Disabling push notifications entirely Requiring users to approve faster Number matching — requiring users to enter a code shown on the login screen Using a longer password

6. TOTP codes are generated using which cryptographic construction?

RSA public-key encryption HMAC of a shared secret and the current timestamp AES-256 encryption of the username SHA-256 hash of the user's password

7. SIM swapping attacks completely bypass which MFA mechanism?

FIDO2 hardware keys TOTP authenticator apps Smart card / PIV authentication SMS one-time passwords

8. Geo-velocity is best described as:

An anomaly detection technique flagging geographically impossible logins given time constraints GPS-based location locking that prevents logins from foreign countries The speed at which authentication tokens are generated A FIDO2 protocol extension for mobile authenticators

0/8