Authentication Fundamentals
The process of verifying identity before granting access. Authentication uses factors including something you know (passwords), something you have (tokens), something you are (biometrics), and somewhere you are (location).
Understanding Authentication Fundamentals
Authentication answers one question: "Are you who you claim to be?" Before a system grants access, it must verify the user's identity. This verification uses one or more authentication factors.
The four authentication factors are: • Something you know — Passwords, PINs, security questions • Something you have — Smart cards, tokens, phones • Something you are — Fingerprints, retina scans, facial recognition • Somewhere you are — GPS location, IP address, network segment
Single-factor authentication uses one factor (usually a password). Multi-factor authentication (MFA) requires two or more DIFFERENT factors, dramatically increasing security because an attacker must compromise multiple factor types.
Why This Matters for the Exam
Authentication is tested heavily throughout the Security+ exam. Domain 4 covers identity and access management in depth, but the fundamentals established here are critical for understanding those advanced topics.
The exam frequently tests the difference between authentication (verifying identity) and authorization (granting permissions). It also tests understanding of what constitutes "true" MFA—using two different FACTOR TYPES, not just two passwords or two knowledge questions.
Understanding authentication factors also connects to zero trust architecture (Domain 1.2) where continuous authentication replaces one-time login.
Deep Dive
The Four Authentication Factors
Factor 1: Something You Know (Knowledge)
- •Passwords and passphrases
- •PINs (Personal Identification Numbers)
- •Security questions and answers
- •Pattern locks
*Strengths:* Easy to implement, no hardware required *Weaknesses:* Can be guessed, stolen, shared, or forgotten
Factor 2: Something You Have (Possession)
- •Smart cards and CAC cards
- •Hardware tokens (RSA SecurID)
- •Software tokens and authenticator apps
- •SMS codes (weaker—can be intercepted)
- •USB security keys (FIDO2/WebAuthn)
*Strengths:* Physical possession required *Weaknesses:* Can be lost, stolen, or cloned
Factor 3: Something You Are (Inherence/Biometrics)
- •Fingerprint scans
- •Retina/iris scans
- •Facial recognition
- •Voice recognition
- •Hand geometry
- •Keystroke dynamics
*Strengths:* Unique to individual, can't be forgotten *Weaknesses:* Can't be changed if compromised, privacy concerns
Factor 4: Somewhere You Are (Location)
- •GPS coordinates
- •IP address or network location
- •Geofencing
- •Physical proximity (Bluetooth beacon)
*Strengths:* Adds context to authentication decisions *Weaknesses:* Can be spoofed, limits mobility
Multi-Factor Authentication (MFA)
MFA requires factors from DIFFERENT categories:
| Example | MFA? | Why? |
|---|---|---|
| Password + PIN | ❌ No | Both are "something you know" |
| Password + Fingerprint | ✅ Yes | Knowledge + Inherence |
| Smart card + PIN | ✅ Yes | Possession + Knowledge |
| Password + SMS code | ✅ Yes | Knowledge + Possession |
| Two passwords | ❌ No | Same factor type twice |
| Fingerprint + Face scan | ❌ No | Both are biometrics |
Two-Factor vs. Multi-Factor:
- •Two-Factor (2FA) = Exactly two factors
- •Multi-Factor (MFA) = Two or more factors
Authentication Methods
Local Authentication
- •Credentials stored on the local system
- •User authenticates directly to the resource
Centralized/Directory Authentication
- •Credentials stored in central directory (Active Directory, LDAP)
- •Single set of credentials for multiple resources
Federated Authentication
- •Trust relationships between organizations
- •Authenticate once, access multiple systems across organizations
- •Uses SAML, OAuth, OpenID Connect
Single Sign-On (SSO)
- •Authenticate once to access multiple applications
- •Improves user experience, centralizes authentication
- •Risk: If SSO is compromised, all connected apps are at risk
How CompTIA Tests This
Example Analysis
Scenario: A bank requires customers to log in using their password, then enter a code sent to their registered mobile phone, and finally provide a fingerprint scan on their device before accessing their account.
Analysis: This is three-factor authentication using: • Password = Something you know (Factor 1) • Mobile phone code = Something you have (Factor 2) • Fingerprint = Something you are (Factor 3)
Key insight: This is true MFA because each factor is from a DIFFERENT category. Using password + security question + PIN would NOT be MFA—all three are "something you know."
Why three factors? Higher-risk systems (banking) warrant stronger authentication. Each additional factor type exponentially reduces compromise risk.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"What you KNOW, HAVE, ARE, and WHERE"
- •KNOW = Knowledge (passwords, PINs)
- •HAVE = Possession (tokens, cards, phones)
- •ARE = Inherence (biometrics, fingerprints)
- •WHERE = Location (GPS, IP address)
- •The MFA Test:
- •Ask: "Are these factors from DIFFERENT categories?"
- •Yes → True MFA
- •No → Not really multi-factor
- •Factor Strength Memory:
- •Knowledge = Weakest (can be guessed/stolen)
- •Possession = Better (physical item needed)
- •Inherence = Strong (unique to person)
- •Location = Context (adds verification layer)
AAA Order: Authentication (who are you?) Authorization (what can you access?) Accounting (what did you do?)
Test Your Knowledge
Q1.A user logs into a system using a password and then must answer three security questions. How many authentication factors are being used?
Q2.Which combination represents true multi-factor authentication (MFA)?
Q3.What is the PRIMARY difference between authentication and authorization?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on authentication fundamentals and other Objective 1.2 concepts.