Domain 5 · Lesson 1 of 5

Authentication Factors & MFA

Nhân tố Xác thực & Đa yếu tố

The 4 A's — In Sequence

1. Identification

Claim identity (username, card swipe)

2. Authentication

Prove the claim (password, OTP, biometric)

3. Authorization

Grant permitted access (RBAC, ABAC)

4. Accountability

Audit trail (logs, session recording)

Three Authentication Factor Types

Type Tiếng Việt Examples Weakness
Type 1: Know Điều bạn biết Password, PIN, passphrase, security question Phishing, keylogging, shoulder surfing
Type 2: Have Điều bạn có SMS OTP, TOTP app, hardware token, smart card, YubiKey SIM swap (SMS), theft
Type 3: Are Điều bạn là Fingerprint, face, iris, retina, voice, vein Spoofing (need liveness detection)

MFA RULE: Must combine 2+ DIFFERENT factor types

  • • Phone number + SMS OTP = ONLY Type 2 (not true MFA — same factor type twice)
  • • Password + OTP = Type 1 + Type 2 = true MFA ✓
  • • Partner E MPIN + biometric = Type 1 + Type 3 = true MFA ✓

Biometric Accuracy Metrics

FAR — False Accept Rate

Wrong person gets in. Security risk. Also called Type II error or False Positive in security context.

FRR — False Reject Rate

Right person locked out. Usability risk. Also called Type I error.

CER / EER — Crossover Error Rate

Point where FAR = FRR. Lower CER = more accurate system.

FAR and FRR trade off against each other — tightening sensitivity reduces FAR but increases FRR. CER is the single number used to compare biometric systems: a system with CER 1% is more accurate than one with CER 5%.

NIST SP 800-63A — Identity Proofing Levels

Identity proofing = verifying that a person IS who they claim to be before issuing credentials. Three levels of assurance:

LevelNameProcessUse Case
IAL1Identity Assurance Level 1Self-assertion only — no identity verification. Applicant states their own identity.Low-risk accounts, anonymous services
IAL2Identity Assurance Level 2Remote or in-person identity proofing with identity evidence (government ID). Document validation + biometric comparison.Financial accounts, most government services
IAL3Identity Assurance Level 3In-person identity proofing by trained representative. Physical document inspection. Highest assurance.High-value government clearances, banking

Non-Person Entities (Service Accounts, API Keys, IoT Devices)

Authentication extends beyond humans: Service accounts = authenticated via client certificates or OIDC federation (not passwords); API keys = Type 2 factor (something you HAVE) — must be rotated and stored in Vault; IoT devices = device certificates, hardware TPM attestation. All non-person entities should have unique identities with least privilege.

FinTech Company X: Platform C microservices use mTLS client certificates for service-to-service auth (Type 3 equivalent for services). Partner D B2B partner uses HMAC-signed requests (API key equivalent). All secrets managed in HashiCorp Vault with auto-rotation.

Password Best Practices — NIST SP 800-63B

Recommended ✓

  • Prioritize length over complexity (passphrases)
  • Check against breached password lists (HaveIBeenPwned)
  • Allow paste in password fields
  • Store with bcrypt / Argon2 / scrypt (slow + salted)

Avoid ✗

  • Mandatory periodic changes unless compromised
  • Arbitrary complexity rules (special chars, caps)
  • MD5 or SHA-1 for password hashing (fast = bad)
  • Blocking paste (forces weaker passwords)

Key Terms

Authentication MFA Type 1/2/3 Factor FAR FRR CER Biometrics Liveness Detection OTP TOTP FIDO2/WebAuthn bcrypt Salt
Exam Tips
  1. MFA requires DIFFERENT factor types — same type twice is NOT MFA (phone number + SMS OTP = only Type 2).
  2. FAR = security risk (lets wrong person in); FRR = usability risk (locks right person out).
  3. Lower CER = more accurate biometric system.
  4. NIST 800-63B recommends length over complexity — do NOT force periodic changes unless compromised.
  5. FIDO2/WebAuthn = phishing-resistant MFA — asymmetric key pair on device, private key never leaves device.
Work Application — FinTech Company X

Partner E biometric MFA: MPIN (Type 1) + biometric face scan (Type 3) = true MFA. eKYC Vendor liveness detection prevents photo spoofing and video replay attacks — essential because face data can be photographed.

OTP rate limiting: OTP capped at 5/hr per phone number prevents Type 2 brute force. Anti-enumeration: OTP always sent regardless of account existence — prevents attackers from discovering valid accounts by observing different responses.

Recommendation: Upgrade Partner C from SMS OTP (Type 2, SIM-swap risk) to TOTP app option (Authenticator app) for users who prefer stronger Type 2 authentication without SIM-swap exposure.

Practice Quiz

Q1. A user logs in with their phone number and then receives an SMS OTP. Is this true MFA?

Reveal Answer
No — this is NOT true MFA. Phone number (something you have) + SMS OTP (something you have) = only Type 2 factor used twice.
MFA requires combining two or more DIFFERENT factor types. Phone + SMS is both "something you have" (Type 2). To make it true MFA, add a password (Type 1: something you know) or biometric (Type 3: something you are).

Q2. Partner E uses MPIN plus biometric face scan. Which factor types are used, and is this true MFA?

Reveal Answer
MPIN = Type 1 (something you know). Biometric face = Type 3 (something you are). Yes — this is true MFA combining two different factor types.
MPIN is a Personal Identification Number — knowledge factor (Type 1). Face biometric is an inherence factor (Type 3). Two different types = true multi-factor authentication. eKYC Vendor liveness detection further prevents spoofing attacks against the biometric factor.

Q3. Which biometric error rate represents a security risk — FAR or FRR?

Reveal Answer
FAR (False Accept Rate) is the security risk — it means an unauthorized person is incorrectly granted access.
FAR = false positive from a security perspective: wrong person gets in. FRR = false negative: right person is locked out (usability problem). On CISSP, FAR is the primary security concern. CER is the crossover point where FAR equals FRR — a lower CER means the system is more accurate overall.

Q4. What does CER measure, and what does a lower CER indicate about a biometric system?

Reveal Answer
CER (Crossover Error Rate) is the point where FAR equals FRR. A lower CER means the system is more accurate overall.
CER is used to compare biometric systems on a single number. A system with CER 1% makes fewer errors overall than one with CER 5%, because the crossover point (where false accepts equal false rejects) is lower. When comparing two biometric solutions, always choose the one with lower CER.

Q5. Liveness detection — what specific attack does it prevent in the context of biometric authentication?

Reveal Answer
Liveness detection prevents spoofing attacks — using a photograph, printed image, or video replay to fool a facial recognition or fingerprint scanner into granting access.
Without liveness detection, an attacker could defeat face recognition by holding up a photo. Liveness detection verifies the biometric sample is from a live human (blink detection, 3D depth sensing, micro-expressions). eKYC Vendor implements this for Partner E. For CISSP: Type 3 factors need liveness detection to prevent spoofing — this is their primary weakness.
← Domain 5 Overview Lesson 2: SSO & Federation →