Certified: The Security+ Prepcast

Strong passwords are no longer enough. With credential theft, phishing attacks, and brute-force methods on the rise, relying solely on something you know—like a password—puts your organization at risk. That’s why multifactor authentication, or M F A, is now a standard requirement across industries. By combining two or more factors—something you know, something you have, and something you are—M F A dramatically reduces the likelihood of unauthorized access. In this episode, we explore key methods for implementing M F A, focusing on biometrics, tokens, and physical security keys.
Let’s begin with biometrics and tokens. Biometrics fall under the category of “something you are.” These are measurable, unique biological or behavioral characteristics that verify identity. Common biometric methods include fingerprint scans, facial recognition, iris scans, and voice recognition. The appeal of biometrics is that they’re convenient—users don’t need to carry anything or remember a code—and difficult to replicate.
Biometrics are widely used on mobile devices, in corporate authentication systems, and even at physical access points. For example, employees may scan a fingerprint to log in to a workstation, or use facial recognition to unlock a smartphone connected to corporate applications.
Let’s walk through a practical example. A law firm deploys biometric authentication on its laptops, requiring fingerprint verification in addition to a user password. Even if a laptop is stolen and the password is guessed, the attacker still cannot access the system without the authorized fingerprint. This added layer prevents unauthorized logins and strengthens endpoint security.
However, biometrics are not perfect. While they are difficult to steal, they are not impossible to spoof. Advanced attackers have been able to replicate fingerprints or trick facial recognition systems. Also, unlike passwords, biometric data cannot be changed if compromised. That’s why biometrics should always be combined with other factors for true multifactor protection.
Next, let’s talk about tokens. Tokens fall under the “something you have” category. These are physical or virtual devices that generate or receive authentication codes. There are two main types: hardware tokens and software tokens.
Hardware tokens are dedicated devices—such as key fobs—that generate time-based one-time passwords, also called T O T P codes. These codes are synchronized with the authentication server and change every thirty to sixty seconds. When a user logs in, they enter their password and the current token code, proving they have possession of the token.
Software tokens work similarly, but they run on smartphones or other devices. Applications like Google Authenticator, Microsoft Authenticator, and Duo Mobile generate time-based codes tied to the user’s account. These apps are easier to deploy and maintain than physical tokens, but they rely on the security of the mobile device.
Let’s consider another real-world scenario. A financial services firm implements software tokens for all remote employees. When users log in to the virtual private network, they enter their username and password, then supply the current code from their authenticator app. Even if a password is compromised, access is denied without the token. This significantly reduces the risk of remote credential theft.
Tokens can also be sent via text messages or email, but these methods are increasingly discouraged due to their vulnerability to interception or phishing. SIM swapping attacks, in particular, have highlighted the weakness of relying solely on text-based verification. For high-security environments, time-based tokens or push-based verification methods are preferred.
Push-based M F A is a newer variant where users receive a notification on their phone and approve the login with a tap. This simplifies the user experience while maintaining strong security—provided the device itself is protected with biometrics or a PIN.
Now let’s shift to security keys. Physical security keys are one of the most secure M F A methods available. They are hardware devices—usually USB or NFC-based—that support strong, cryptographic authentication using open standards like FIDO2 or Universal 2nd Factor.
Security keys are resistant to phishing, replay attacks, and credential theft. They work by performing a cryptographic handshake with the login system, proving possession of the device without transmitting a shared secret. This eliminates many of the weaknesses associated with passwords and token codes.
Let’s look at a real-world example. A technology company implements security keys for all privileged accounts. Administrators must insert their USB security key and touch it to complete login. Because the key performs a local cryptographic operation, phishing emails and fake login pages cannot trick the user into revealing credentials. Even if attackers capture the username and password, they cannot complete the cryptographic exchange without the key.
Security keys are especially useful for high-risk roles—such as system administrators, developers, and executives. Many keys also support biometric validation, adding a second layer of assurance. Some keys are built into laptops or mobile devices, while others are standalone and portable. Most work across operating systems, browsers, and authentication platforms.
Deployment of security keys requires planning. Users must be enrolled, keys must be registered to their accounts, and backup options must be defined in case a key is lost. Organizations should establish clear policies for recovery, replacement, and revocation to avoid lockouts or delays.
One of the most powerful benefits of security keys is their phishing resistance. Traditional M F A methods—such as codes sent via text or email—can be tricked by attackers who clone login pages. Security keys, on the other hand, validate the website’s origin before authenticating. If the site is fake, the key won’t respond. This built-in check protects users from credential harvesting—even when the phishing attempt is convincing.
To summarize, multifactor authentication significantly improves account security by combining two or more authentication factors. Biometrics verify who you are. Tokens prove what you have. And security keys add strong, phishing-resistant protection with cryptographic proof of possession. These methods reduce reliance on passwords and protect against a wide range of attacks—including phishing, brute force, and credential stuffing.
For the Security Plus exam, be prepared to identify different M F A methods, their strengths and weaknesses, and where they are best applied. You may be asked to compare biometric authentication to token-based M F A, or to evaluate which method offers the most protection in a given scenario. Review terms like time-based token, push verification, FIDO2, biometric spoofing, hardware key, and multifactor flow—they’re all fair game and directly relevant to modern security strategies.
To support your exam prep and access bonus content, visit us at Bare Metal Cyber dot com. There you’ll find additional episodes, downloadable tools, and a free newsletter designed to sharpen your understanding. And when you’re ready to pass the exam with confidence, visit Cyber Author dot me and get your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success. It’s the clearest, most effective guide available for mastering every domain and earning your certification.