MFA (multifactor authentication) is a security measure that requires extra proof of identity, like a one-time code, in addition to a password, adding a layer of protection against password attacks.
MFA stands for multifactor authentication. It's a way of proving who you are using more than one piece of evidence. A password alone is a single factor, something you know. MFA adds at least one more factor, like a one-time code texted to your phone (something you have) or a fingerprint (something you are). Even if an attacker steals or guesses your password, they still can't log in without that second factor.
In the AP Cybersecurity CED, MFA shows up in EK 1.2.C.3 as a defense you should enable whenever it's available. The point is simple: passwords get cracked, stolen, and guessed all the time, so MFA is the backup that keeps a stolen password from being enough. Think of it as a deadbolt added to a doorknob lock. A burglar who picks the knob still hits a second barrier.
MFA lives in Unit 1: Introduction to Security, specifically Topic 1.2 Suspicious Website Logins. It directly supports learning objective AP Cybersecurity 1.2.C, "Explain how to make authentication stronger," and connects to 1.2.A and 1.2.B, which describe how adversaries attack weak passwords. The whole arc of Topic 1.2 is: here's how password attacks work, and here's how you stop them. MFA is the strongest single answer to that second half. When you explain why a long, random password isn't always enough, MFA is the move that closes the gap.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryOne-Time Password / OTP (Unit 1)
An OTP is the most common second factor MFA uses. When the CED says MFA requires "extra proof of identity, such as a one-time code," that code is the OTP. MFA is the system; the OTP is one piece of evidence it asks for.
Online Password Attack (Unit 1)
EK 1.2.A.1 describes adversaries trying to log in with common, patterned, or stolen passwords. MFA is what stops those attacks from succeeding, because guessing the password gets the attacker only halfway in.
Credential Stuffing (Unit 1)
Credential stuffing reuses passwords leaked from one site to break into another. MFA breaks the attack cold, since a reused password still can't supply the second factor on the new account.
Strong Password Practices (Unit 1)
EK 1.2.C.1 and 1.2.C.2 push long, random, unique passwords. MFA layers on top of those habits. Good passwords reduce the chance of a breach, and MFA contains the damage if one happens anyway.
Expect MFA in multiple-choice questions about strengthening authentication. A stem might describe a scenario with many failed logins or a stolen password and ask what defense best protects the account, where MFA is the strongest answer. You should be able to explain WHY MFA helps: it adds a second factor an attacker is unlikely to have, so a cracked or stolen password alone won't grant access. No released FRQ has used "MFA" verbatim, but the term supports exactly the kind of mitigation reasoning Topic 1.2 expects when you analyze suspicious logins and recommend defenses.
These get mixed up because they often appear together, but they're not the same thing. MFA is the broader strategy of requiring more than one factor to log in. An OTP is one specific second factor MFA can use, like a six-digit code that expires fast. MFA can also use other factors, such as a fingerprint or a hardware key, so OTP is a tool inside MFA, not a synonym for it.
MFA stands for multifactor authentication, and it requires extra proof of identity beyond a password as an added layer of security (EK 1.2.C.3).
MFA defends against online password attacks because guessing or stealing the password isn't enough to log in without the second factor.
A one-time code (OTP) is the most common second factor, but MFA can also use something you have or something you are.
MFA is the strongest answer to AP Cybersecurity 1.2.C, which asks how to make authentication stronger.
Strong passwords and MFA work together: good passwords lower the odds of a breach, and MFA limits the damage if one happens.
MFA, or multifactor authentication, is a security measure from EK 1.2.C.3 that requires you to give extra proof of identity, such as a one-time code, in addition to your password. It adds a second layer that blocks attackers even if they have your password.
No. MFA is an extra layer, not a replacement. The CED still tells you to use long, random, unique passwords (EK 1.2.C.1) and enable MFA on top of that, because each defense covers a weakness the other can't.
MFA is the overall approach of requiring more than one factor to log in. An OTP is one type of second factor MFA can use, like a code that expires quickly. OTP is a piece of MFA, not the same thing.
Because the password alone isn't enough. In credential stuffing, an attacker reuses a leaked password, but MFA still demands a second factor the attacker doesn't have, so the login fails.
Yes. It's part of Unit 1, Topic 1.2, and supports learning objective AP Cybersecurity 1.2.C on making authentication stronger. You should be able to name MFA as a defense and explain why adding a second factor protects an account.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.