---
title: "Multifactor Authentication — AP CSP Definition & Exam Guide"
description: "Multifactor authentication requires two or more types of evidence (know, have, are) to grant access. A core AP CSP Topic 5.6 defense against phishing and keylogging."
canonical: "https://fiveable.me/ap-comp-sci-p/key-terms/multifactor-authentication"
type: "key-term"
subject: "AP Computer Science Principles"
unit: "Unit 5"
---

# Multifactor Authentication — AP CSP Definition & Exam Guide

## Definition

Multifactor authentication (MFA) is an access control method in AP CSP Topic 5.6 where a user is granted access only after presenting several separate pieces of evidence, typically from at least two categories: knowledge (something you know), possession (something you have), and inherence (something you are).

## What It Is

Multifactor authentication is a [method](/ap-comp-sci-p/key-terms/procedure "fv-autolink") of computer [access](/ap-comp-sci-p/unit-5/digital-divide/study-guide/cPITNOBetOdsC1E7wfig "fv-autolink") control where you only get in after presenting **several separate pieces of evidence** to an authentication system. The CED (EK IOC-2.B.3) spells out the three categories of evidence: **knowledge** (something you know, like a password or PIN), **possession** (something you have, like a phone that receives a code), and **inherence** (something you are, like a fingerprint or face scan).

The whole point is the word *multi-FACTOR*, not multi-step. Two passwords are still just one factor (knowledge), so they don't count as MFA. Real MFA combines factors from *different* categories. That way, if a hacker steals your password through [phishing](/ap-comp-sci-p/key-terms/phishing "fv-autolink") or keylogging, they still hit a wall, because they don't have your phone or your fingerprint. Think of it like a bank vault that needs both a key and a combination. Stealing one gets an attacker nothing.

## Why It Matters

MFA lives in **Topic 5.6 (Safe Computing)** in **[Unit 5](/ap-comp-sci-p/unit-5 "fv-autolink"): Impact of Computing**, under learning objective **[AP Comp Sci P](/ap-comp-sci-p "fv-autolink") 5.6.B**, which asks you to explain how computing resources can be protected and misused. EK IOC-2.B.1 names MFA (alongside strong passwords) as one of the two example authentication measures that protect devices and information from unauthorized access. It also connects directly to **AP Comp Sci P 5.6.C**, because MFA is the standard answer to the attack techniques listed there. Phishing and keylogging both steal passwords, and MFA is what makes a stolen password insufficient on its own. If a question describes a stolen credential and asks what would have helped, MFA is almost always in the answer choices.

## Connections

### Password (Unit 5)

A [strong password](/ap-comp-sci-p/unit-5/safe-computing/study-guide/zMi0PutBHnDjIlOB5lMs "fv-autolink") is the other authentication measure the CED names in EK IOC-2.B.1, but a password alone is single-factor. MFA wraps a password inside a second, independent check, so the password stops being a single point of failure.

### Two-factor authentication (Unit 5)

Two-factor authentication (2FA) is just MFA with exactly two factors. Every 2FA setup is multifactor, but MFA can stack three or more factors for higher-security systems like banking apps.

### [Keylogging (Unit 5)](/ap-comp-sci-p/key-terms/keylogging)

[Keylogging](/ap-comp-sci-p/key-terms/keylogging "fv-autolink") records every keystroke to steal passwords (EK IOC-2.C.2). MFA is the counter-move, because a logged password is useless without the second factor the attacker can't capture from a keyboard.

### Biometrics (Unit 5)

Fingerprints and face scans are the 'something you are' factor in MFA. They're also PII under EK IOC-2.A.1, which creates a tension worth knowing: biometric authentication protects your accounts, but storing biometric data creates its own privacy risk.

## On the AP Exam

MFA shows up in multiple-choice questions, usually in scenario form. A common stem describes a security setup (like a PIN plus a fingerprint scan to enter a building) and asks which vulnerability it mitigates or whether it counts as true MFA. Watch for the classic trap: a combination like a password plus a security question is the WEAKEST 'multifactor' implementation because both pieces come from the knowledge category, so it's really single-factor. Another common angle pairs MFA with a password-policy problem, like users writing down passwords they're forced to change every 30 days, and asks which improvement fixes both usability and security. You need to do three things: classify evidence into the know/have/are categories, judge whether a setup is genuinely multifactor, and explain which attacks (phishing, keylogging, rogue access points) MFA defends against. No released FRQ has used the term, but Unit 5 concepts like this are tested heavily on the end-of-course MCQ section.

## Multifactor Authentication vs Two-factor authentication

Two-factor authentication is a specific type of multifactor authentication that uses exactly two factors, like a password plus a code texted to your phone. MFA is the umbrella term for any system using two or more factors from different categories. On the exam, the distinction that actually gets tested is factor *categories*, not factor *count*. A password plus a PIN is two pieces of evidence but only one factor (knowledge), so it isn't true multifactor authentication.

## Key Takeaways

- Multifactor authentication grants access only after a user presents several separate pieces of evidence, typically from at least two of three categories: knowledge, possession, and inherence.
- The three factor categories are something you know (password, PIN), something you have (phone, security key), and something you are (fingerprint, face scan).
- Two pieces of evidence from the same category, like a password and a security question, do not count as true multifactor authentication.
- MFA defends against phishing and keylogging because a stolen password alone is no longer enough to get into the account.
- The CED (EK IOC-2.B.1) names MFA and strong passwords as the two example authentication measures that protect devices and information from unauthorized access.
- Two-factor authentication is just MFA with exactly two factors, so every 2FA system is also multifactor.

## FAQs

### What is multifactor authentication in AP Computer Science Principles?

It's an access control method (EK IOC-2.B.3) where a user only gets access after presenting several separate pieces of evidence, typically from at least two categories: knowledge (something you know), possession (something you have), and inherence (something you are). It's tested under Topic 5.6, Safe Computing.

### Is a password plus a security question multifactor authentication?

No. Both are 'something you know,' so that's two pieces of evidence from one factor category, which is still single-factor. This exact setup appears in practice questions as the weakest fake-MFA implementation.

### What's the difference between multifactor authentication and two-factor authentication?

Two-factor authentication is MFA with exactly two factors, like a password plus a phone code. MFA is the broader term covering any setup with two or more factors from different categories, including three-factor systems used by banks.

### Does multifactor authentication stop phishing?

It doesn't stop the phishing attempt itself, but it blunts the damage. Even if a phishing email (EK IOC-2.C.1) tricks you into giving up your password, the attacker still lacks your second factor, like your phone or fingerprint, so they can't log in.

### What are the three factors of authentication?

Knowledge (something you know, like a password or PIN), possession (something you have, like a phone or hardware key), and inherence (something you are, like a fingerprint or facial recognition). True MFA combines evidence from at least two of these.

## Related Study Guides

- [Big Idea 5 Overview: Impact of Computing](/ap-comp-sci-p/unit-5/review/study-guide/5aed2VkfxMBYFkBVCEhn)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-comp-sci-p/key-terms/multifactor-authentication#resource","name":"Multifactor Authentication — AP CSP Definition & Exam Guide","url":"https://fiveable.me/ap-comp-sci-p/key-terms/multifactor-authentication","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-comp-sci-p/key-terms/multifactor-authentication#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-11T00:50:13.323Z","isPartOf":{"@type":"Collection","name":"AP Computer Science Principles Key Terms","url":"https://fiveable.me/ap-comp-sci-p/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-comp-sci-p/key-terms/multifactor-authentication#term","name":"Multifactor Authentication","description":"Multifactor authentication (MFA) is an access control method in AP CSP Topic 5.6 where a user is granted access only after presenting several separate pieces of evidence, typically from at least two categories: knowledge (something you know), possession (something you have), and inherence (something you are).","url":"https://fiveable.me/ap-comp-sci-p/key-terms/multifactor-authentication","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Computer Science Principles Key Terms","url":"https://fiveable.me/ap-comp-sci-p/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP® Computer Science Principles Unit 5, Topic 5.6, LO 5.6.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP® Computer Science Principles Unit 5, Topic 5.6, LO 5.6.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP® Computer Science Principles Unit 5, Topic 5.6, LO 5.6.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is multifactor authentication in AP Computer Science Principles?","acceptedAnswer":{"@type":"Answer","text":"It's an access control method (EK IOC-2.B.3) where a user only gets access after presenting several separate pieces of evidence, typically from at least two categories: knowledge (something you know), possession (something you have), and inherence (something you are). It's tested under Topic 5.6, Safe Computing."}},{"@type":"Question","name":"Is a password plus a security question multifactor authentication?","acceptedAnswer":{"@type":"Answer","text":"No. Both are 'something you know,' so that's two pieces of evidence from one factor category, which is still single-factor. This exact setup appears in practice questions as the weakest fake-MFA implementation."}},{"@type":"Question","name":"What's the difference between multifactor authentication and two-factor authentication?","acceptedAnswer":{"@type":"Answer","text":"Two-factor authentication is MFA with exactly two factors, like a password plus a phone code. MFA is the broader term covering any setup with two or more factors from different categories, including three-factor systems used by banks."}},{"@type":"Question","name":"Does multifactor authentication stop phishing?","acceptedAnswer":{"@type":"Answer","text":"It doesn't stop the phishing attempt itself, but it blunts the damage. Even if a phishing email (EK IOC-2.C.1) tricks you into giving up your password, the attacker still lacks your second factor, like your phone or fingerprint, so they can't log in."}},{"@type":"Question","name":"What are the three factors of authentication?","acceptedAnswer":{"@type":"Answer","text":"Knowledge (something you know, like a password or PIN), possession (something you have, like a phone or hardware key), and inherence (something you are, like a fingerprint or facial recognition). True MFA combines evidence from at least two of these."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Computer Science Principles","item":"https://fiveable.me/ap-comp-sci-p"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-comp-sci-p/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 5","item":"https://fiveable.me/ap-comp-sci-p/unit-5"},{"@type":"ListItem","position":4,"name":"Multifactor Authentication"}]}]}
```
