Multifactor authentication (MFA) is an access control method in AP CSP Topic 5.6 where a user is granted access only after presenting several separate pieces of evidence, typically from at least two categories: knowledge (something you know), possession (something you have), and inherence (something you are).
Multifactor authentication is a method of computer access control where you only get in after presenting several separate pieces of evidence to an authentication system. The CED (EK IOC-2.B.3) spells out the three categories of evidence: knowledge (something you know, like a password or PIN), possession (something you have, like a phone that receives a code), and inherence (something you are, like a fingerprint or face scan).
The whole point is the word multi-FACTOR, not multi-step. Two passwords are still just one factor (knowledge), so they don't count as MFA. Real MFA combines factors from different categories. That way, if a hacker steals your password through phishing or keylogging, they still hit a wall, because they don't have your phone or your fingerprint. Think of it like a bank vault that needs both a key and a combination. Stealing one gets an attacker nothing.
MFA lives in Topic 5.6 (Safe Computing) in Unit 5: Impact of Computing, under learning objective AP Comp Sci P 5.6.B, which asks you to explain how computing resources can be protected and misused. EK IOC-2.B.1 names MFA (alongside strong passwords) as one of the two example authentication measures that protect devices and information from unauthorized access. It also connects directly to AP Comp Sci P 5.6.C, because MFA is the standard answer to the attack techniques listed there. Phishing and keylogging both steal passwords, and MFA is what makes a stolen password insufficient on its own. If a question describes a stolen credential and asks what would have helped, MFA is almost always in the answer choices.
Keep studying AP Computer Science Principles Unit RHQfKp2hEgUxtUw1
Password (Unit 5)
A strong password is the other authentication measure the CED names in EK IOC-2.B.1, but a password alone is single-factor. MFA wraps a password inside a second, independent check, so the password stops being a single point of failure.
Two-factor authentication (Unit 5)
Two-factor authentication (2FA) is just MFA with exactly two factors. Every 2FA setup is multifactor, but MFA can stack three or more factors for higher-security systems like banking apps.
Keylogging (Unit 5)
Keylogging records every keystroke to steal passwords (EK IOC-2.C.2). MFA is the counter-move, because a logged password is useless without the second factor the attacker can't capture from a keyboard.
Biometrics (Unit 5)
Fingerprints and face scans are the 'something you are' factor in MFA. They're also PII under EK IOC-2.A.1, which creates a tension worth knowing: biometric authentication protects your accounts, but storing biometric data creates its own privacy risk.
MFA shows up in multiple-choice questions, usually in scenario form. A common stem describes a security setup (like a PIN plus a fingerprint scan to enter a building) and asks which vulnerability it mitigates or whether it counts as true MFA. Watch for the classic trap: a combination like a password plus a security question is the WEAKEST 'multifactor' implementation because both pieces come from the knowledge category, so it's really single-factor. Another common angle pairs MFA with a password-policy problem, like users writing down passwords they're forced to change every 30 days, and asks which improvement fixes both usability and security. You need to do three things: classify evidence into the know/have/are categories, judge whether a setup is genuinely multifactor, and explain which attacks (phishing, keylogging, rogue access points) MFA defends against. No released FRQ has used the term, but Unit 5 concepts like this are tested heavily on the end-of-course MCQ section.
Two-factor authentication is a specific type of multifactor authentication that uses exactly two factors, like a password plus a code texted to your phone. MFA is the umbrella term for any system using two or more factors from different categories. On the exam, the distinction that actually gets tested is factor categories, not factor count. A password plus a PIN is two pieces of evidence but only one factor (knowledge), so it isn't true multifactor authentication.
Multifactor authentication grants access only after a user presents several separate pieces of evidence, typically from at least two of three categories: knowledge, possession, and inherence.
The three factor categories are something you know (password, PIN), something you have (phone, security key), and something you are (fingerprint, face scan).
Two pieces of evidence from the same category, like a password and a security question, do not count as true multifactor authentication.
MFA defends against phishing and keylogging because a stolen password alone is no longer enough to get into the account.
The CED (EK IOC-2.B.1) names MFA and strong passwords as the two example authentication measures that protect devices and information from unauthorized access.
Two-factor authentication is just MFA with exactly two factors, so every 2FA system is also multifactor.
It's an access control method (EK IOC-2.B.3) where a user only gets access after presenting several separate pieces of evidence, typically from at least two categories: knowledge (something you know), possession (something you have), and inherence (something you are). It's tested under Topic 5.6, Safe Computing.
No. Both are 'something you know,' so that's two pieces of evidence from one factor category, which is still single-factor. This exact setup appears in practice questions as the weakest fake-MFA implementation.
Two-factor authentication is MFA with exactly two factors, like a password plus a phone code. MFA is the broader term covering any setup with two or more factors from different categories, including three-factor systems used by banks.
It doesn't stop the phishing attempt itself, but it blunts the damage. Even if a phishing email (EK IOC-2.C.1) tricks you into giving up your password, the attacker still lacks your second factor, like your phone or fingerprint, so they can't log in.
Knowledge (something you know, like a password or PIN), possession (something you have, like a phone or hardware key), and inherence (something you are, like a fingerprint or facial recognition). True MFA combines evidence from at least two of these.