---
title: "MFA — AP Cybersecurity Definition & Exam Guide"
description: "MFA (multifactor authentication) adds an extra proof of identity beyond a password, defending against password attacks. Learn how it's tested in AP Cybersecurity Unit 1."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/mfa"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 1"
---

# MFA — AP Cybersecurity Definition & Exam Guide

## Definition

MFA (multifactor authentication) is a security measure that requires extra proof of identity, like a one-time code, in addition to a password, adding a layer of protection against password attacks.

## What It Is

MFA stands for **[multifactor authentication](/ap-cybersecurity/key-terms/multifactor-authentication "fv-autolink")**. It's a way of proving who you are using more than one piece of evidence. A [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") alone is a single factor, something you know. MFA adds at least one more factor, like a one-time code texted to your phone (something you have) or a fingerprint (something you are). Even if an attacker steals or guesses your password, they still can't log in without that second factor.

In the [AP Cybersecurity](/ap-cybersecurity "fv-autolink") CED, MFA shows up in EK 1.2.C.3 as a defense you should enable whenever it's available. The point is simple: passwords get cracked, stolen, and guessed all the time, so MFA is the backup that keeps a stolen password from being enough. Think of it as a deadbolt added to a doorknob lock. A burglar who picks the knob still hits a second barrier.

## Why It Matters

MFA lives in [Unit 1](/ap-cybersecurity/unit-1 "fv-autolink"): Introduction to Security, specifically Topic 1.2 Suspicious Website Logins. It directly supports learning objective AP Cybersecurity 1.2.C, "Explain how to make [authentication](/ap-cybersecurity/key-terms/authentication "fv-autolink") stronger," and connects to 1.2.A and 1.2.B, which describe how adversaries attack weak passwords. The whole arc of Topic 1.2 is: here's how password attacks work, and here's how you stop them. MFA is the strongest single answer to that second half. When you explain why a long, random password isn't always enough, MFA is the move that closes the gap.

## Connections

### One-Time Password / OTP (Unit 1)

An OTP is the most common second factor MFA uses. When the CED says MFA requires "extra proof of identity, such as a [one-time code](/ap-cybersecurity/key-terms/one-time-password "fv-autolink")," that code is the OTP. MFA is the system; the OTP is one piece of evidence it asks for.

### [Online Password Attack (Unit 1)](/ap-cybersecurity/key-terms/online-password-attack)

EK 1.2.A.1 describes [adversaries](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink") trying to log in with common, patterned, or stolen passwords. MFA is what stops those attacks from succeeding, because guessing the password gets the attacker only halfway in.

### [Credential Stuffing (Unit 1)](/ap-cybersecurity/key-terms/credential-stuffing)

[Credential stuffing](/ap-cybersecurity/key-terms/credential-stuffing "fv-autolink") reuses passwords leaked from one site to break into another. MFA breaks the attack cold, since a reused password still can't supply the second factor on the new account.

### Strong Password Practices (Unit 1)

EK 1.2.C.1 and 1.2.C.2 push long, random, unique passwords. MFA layers on top of those habits. Good passwords reduce the chance of a breach, and MFA contains the damage if one happens anyway.

## On the AP Exam

Expect MFA in multiple-choice questions about strengthening authentication. A stem might describe a scenario with many failed logins or a stolen password and ask what defense best protects the account, where MFA is the strongest answer. You should be able to explain WHY MFA helps: it adds a second factor an attacker is unlikely to have, so a cracked or stolen password alone won't grant access. No released FRQ has used "MFA" verbatim, but the term supports exactly the kind of mitigation reasoning Topic 1.2 expects when you analyze suspicious logins and recommend defenses.

## MFA vs OTP (one-time password)

These get mixed up because they often appear together, but they're not the same thing. MFA is the broader strategy of requiring more than one factor to log in. An OTP is one specific second factor MFA can use, like a six-digit code that expires fast. MFA can also use other factors, such as a fingerprint or a hardware key, so OTP is a tool inside MFA, not a synonym for it.

## Key Takeaways

- MFA stands for multifactor authentication, and it requires extra proof of identity beyond a password as an added layer of security (EK 1.2.C.3).
- MFA defends against online password attacks because guessing or stealing the password isn't enough to log in without the second factor.
- A one-time code (OTP) is the most common second factor, but MFA can also use something you have or something you are.
- MFA is the strongest answer to AP Cybersecurity 1.2.C, which asks how to make authentication stronger.
- Strong passwords and MFA work together: good passwords lower the odds of a breach, and MFA limits the damage if one happens.

## FAQs

### What is MFA in AP Cybersecurity?

MFA, or multifactor authentication, is a security measure from EK 1.2.C.3 that requires you to give extra proof of identity, such as a one-time code, in addition to your password. It adds a second layer that blocks attackers even if they have your password.

### Does MFA mean I don't need a strong password?

No. MFA is an extra layer, not a replacement. The CED still tells you to use long, random, unique passwords (EK 1.2.C.1) and enable MFA on top of that, because each defense covers a weakness the other can't.

### What's the difference between MFA and OTP?

MFA is the overall approach of requiring more than one factor to log in. An OTP is one type of second factor MFA can use, like a code that expires quickly. OTP is a piece of MFA, not the same thing.

### Why does MFA stop credential stuffing and stolen-password attacks?

Because the password alone isn't enough. In credential stuffing, an attacker reuses a leaked password, but MFA still demands a second factor the attacker doesn't have, so the login fails.

### Is MFA on the AP Cybersecurity exam?

Yes. It's part of Unit 1, Topic 1.2, and supports learning objective AP Cybersecurity 1.2.C on making authentication stronger. You should be able to name MFA as a defense and explain why adding a second factor protects an account.

## Related Study Guides

- [1.2 Suspicious Website Logins](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/mfa#resource","name":"MFA — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/mfa","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/mfa#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:29.864Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/mfa#term","name":"MFA","description":"MFA (multifactor authentication) is a security measure that requires extra proof of identity, like a one-time code, in addition to a password, adding a layer of protection against password attacks.","url":"https://fiveable.me/ap-cybersecurity/key-terms/mfa","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is MFA in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"MFA, or multifactor authentication, is a security measure from EK 1.2.C.3 that requires you to give extra proof of identity, such as a one-time code, in addition to your password. It adds a second layer that blocks attackers even if they have your password."}},{"@type":"Question","name":"Does MFA mean I don't need a strong password?","acceptedAnswer":{"@type":"Answer","text":"No. MFA is an extra layer, not a replacement. The CED still tells you to use long, random, unique passwords (EK 1.2.C.1) and enable MFA on top of that, because each defense covers a weakness the other can't."}},{"@type":"Question","name":"What's the difference between MFA and OTP?","acceptedAnswer":{"@type":"Answer","text":"MFA is the overall approach of requiring more than one factor to log in. An OTP is one type of second factor MFA can use, like a code that expires quickly. OTP is a piece of MFA, not the same thing."}},{"@type":"Question","name":"Why does MFA stop credential stuffing and stolen-password attacks?","acceptedAnswer":{"@type":"Answer","text":"Because the password alone isn't enough. In credential stuffing, an attacker reuses a leaked password, but MFA still demands a second factor the attacker doesn't have, so the login fails."}},{"@type":"Question","name":"Is MFA on the AP Cybersecurity exam?","acceptedAnswer":{"@type":"Answer","text":"Yes. It's part of Unit 1, Topic 1.2, and supports learning objective AP Cybersecurity 1.2.C on making authentication stronger. You should be able to name MFA as a defense and explain why adding a second factor protects an account."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 1","item":"https://fiveable.me/ap-cybersecurity/unit-1"},{"@type":"ListItem","position":4,"name":"MFA"}]}]}
```
