MFA Authentication Factors (Domain 4)
Strong security doesn’t rely on a single gate—it relies on multiple gates working together. That’s the principle behind multifactor authentication, or M F A. Instead of just asking for a password, M F A systems require two or more distinct types of authentication factors. Each factor makes it harder for attackers to gain access—even if one is compromised. In this episode, we explore the core categories of authentication factors—something you know, something you have, and something you are—as well as location-based authentication, sometimes called “somewhere you are.”
Let’s begin with the big three: knowledge, possession, and inherence.
The first factor is something you know—also known as a knowledge factor. This includes passwords, passphrases, PIN codes, answers to security questions, or any piece of information the user is expected to remember. Most systems still rely on this factor as the default method of authentication.
While simple and widely used, knowledge factors are also the most vulnerable. Passwords can be guessed, stolen, reused, or phished. That’s why M F A implementations don’t stop with this factor—they add at least one more.
Let’s consider an example. A user logs into their company’s portal by entering their username and a strong password. This satisfies the “something you know” requirement, but alone, it’s not enough for secure access.
The second factor is something you have—also known as a possession factor. This includes physical or digital objects the user must possess to authenticate. Examples include hardware tokens, smartphone authenticator apps, smart cards, or email and text message codes. These methods rely on the principle that an attacker would need to physically control or steal a device to complete the login process.
A real-world example might involve a software developer logging into a source code repository. After entering their password, they open their authenticator app on their smartphone and enter a time-based code. Even if an attacker had the password, they would still need the physical phone to gain access.
Possession-based factors significantly raise the bar for attackers, especially when combined with device management tools that detect lost or jailbroken phones, unauthorized SIM swaps, or duplicated devices.
The third factor is something you are—also called an inherence factor. These are biometric traits unique to the individual. Examples include fingerprint scans, facial recognition, iris scans, voice patterns, or even behavioral biometrics like typing cadence or mouse movements.
Biometrics are convenient because they can’t be forgotten or guessed. They also provide a physical link to the user’s identity, making it harder for attackers to impersonate legitimate users.
Let’s take a practical scenario. An executive logs into a company dashboard using their laptop. After typing their password, they are prompted to scan their fingerprint using the device’s built-in reader. This biometric check ensures that the person using the laptop is actually the person authorized to access the system.
Biometric methods are widely used on smartphones and laptops and are increasingly integrated into workplace authentication platforms. However, because biometric data cannot be changed if compromised, it should always be part of a layered authentication strategy and not the only factor in use.
Now let’s shift to a lesser-known but increasingly useful factor: somewhere you are, or location-based authentication.
Location-based authentication uses the user’s geographic or network location to verify identity. This factor is often implemented by analyzing Internet Protocol addresses, GPS coordinates, Wi-Fi networks, or cellular tower data. If a user attempts to log in from an unusual or unauthorized location, the system can deny access, require additional verification, or trigger alerts.
Let’s walk through a real-world example. A sales manager typically logs in from New York. One morning, a login attempt occurs from Moscow. The system flags this as an anomalous location and blocks the attempt automatically. Meanwhile, the security team is alerted and begins an investigation. This kind of geofencing reduces the risk of credential theft being used to gain access from foreign threat actors or automated bots.
Another common use case is restricting access based on network ranges. For instance, remote access to a corporate resource might only be allowed from pre-approved IP addresses or regions. If an employee logs in from outside the United States, the system may require multifactor authentication, or deny access altogether unless explicitly allowed.
Location-based authentication adds another dimension to access control by considering the context of the request—not just the credentials. It’s often used in conjunction with other M F A factors, and is a key component in adaptive or risk-based authentication systems.
However, this method isn’t foolproof. Users may travel frequently, use virtual private networks, or work from unknown Wi-Fi networks, which can trigger false positives. That’s why it’s best used as a contributing factor—rather than a primary one. Security teams can configure policies to allow trusted locations, require confirmation of new devices, or allow step-up authentication for unrecognized geographies.
Let’s take another example. A hospital allows doctors to log in to patient systems using S S O and multifactor authentication. If the system detects that a login attempt comes from outside of the hospital campus, it automatically requires biometric verification—even if the password and time-based token are correct. This combination of “something you are” and “somewhere you are” creates stronger protection in high-risk scenarios.
To summarize, multifactor authentication is built on using more than one type of credential from different categories. Knowledge factors are things users know, such as passwords or PINs. Possession factors include things users have, like tokens or smartphones. Inherence factors verify what users are, through biometrics like fingerprints or face scans. And location-based authentication adds a contextual factor—verifying users based on where they are. Together, these elements help build layered, adaptive security that’s much harder to defeat than passwords alone.
For the Security Plus exam, expect questions about the different types of authentication factors, how they are applied, and which combinations qualify as multifactor authentication. You may be asked to identify which factor is being used in a scenario or evaluate the effectiveness of a given setup. Review terms like time-based one-time password, biometric spoofing, GPS validation, authentication context, and geofencing policy—they’re frequently tested and vital for modern authentication strategies.
To dive deeper into this topic and access free resources, visit us at Bare Metal Cyber dot com. You’ll find more podcast episodes, downloadable study tools, and our weekly newsletter. And when you’re ready to pass with confidence, visit Cyber Author dot me and pick up your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success. It’s the most focused, practical guide available for mastering every domain of the exam.
