Multifactor authentication (MFA) is a security method that requires extra proof of identity, such as a one-time code, in addition to your password. In AP Cybersecurity it's the strongest defense against password attacks (EK 1.2.C.3).
Multifactor authentication, usually called MFA, adds a second layer of proof on top of your password. Even if an attacker steals or guesses your password, they still can't get in without that second factor, like a one-time code texted to your phone or generated by an app.
The idea is that authentication factors come in different categories: something you know (a password), something you have (your phone or a hardware key), and something you are (a fingerprint). MFA combines at least two of these. So a stolen password alone, which is one factor, no longer unlocks the account. That's exactly why the CED lists enabling MFA as a top way to make authentication stronger (EK 1.2.C.3).
MFA shows up in Unit 1: Introduction to Security, under topic 1.2 Suspicious Website Logins. It's the payoff for learning objective [AP Cybersecurity 1.2.C], which asks you to explain how to make authentication stronger. The setup comes from [AP Cybersecurity 1.2.A] and [AP Cybersecurity 1.2.B]: adversaries exploit weak passwords with dictionary attacks and login attempts using stolen or common passwords. MFA is the answer to that threat. The whole flow of Unit 1 builds toward it. You learn how passwords get cracked, then you learn the defense that makes a cracked password useless on its own.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryOne-Time Password / OTP (Unit 1)
An OTP is the most common second factor in MFA. When you enter your password and then get a code on your phone, that code is the OTP doing the MFA job. MFA is the strategy; the OTP is one of the tools that makes it work.
Online Password Attack (Unit 1)
MFA exists because of this attack. In an online password attack (EK 1.2.A.1), adversaries try logging in with stolen or guessed passwords. MFA defeats them because guessing the password no longer gets them past the second factor.
Dictionary Attack (Unit 1)
Attackers build a dictionary of likely passwords from personal info like birthdays and pet names (EK 1.2.B.2), then automate guesses. Even a successful guess hits a wall at the MFA prompt, which is why long passwords plus MFA beat either one alone.
Password Manager (Unit 1)
A password manager and MFA are teammates from EK 1.2.C. The manager generates long, unique passwords so you don't reuse weak ones; MFA backs that up with a second factor. Together they cover both 'strong password' and 'extra layer.'
Expect MFA on multiple-choice questions that ask you to identify the strongest authentication practice or to recognize an example of MFA in action. A classic stem describes a user who logs in with a password and then receives a one-time code on their phone, and asks which method that is. The answer is multifactor authentication, with the code itself being a one-time password. You may also see questions pairing MFA with a password manager as the two-part recommendation for strong authentication. No released FRQ has used the term verbatim, but you should be ready to explain why MFA stops an attacker who already has the password, tying it back to [AP Cybersecurity 1.2.C].
An OTP is a single temporary code, like the six digits texted to your phone. MFA is the broader method that uses something extra (often an OTP) on top of your password. So an OTP is usually one ingredient inside MFA, not the whole thing. You can have MFA that uses a fingerprint instead of an OTP.
Multifactor authentication requires extra proof of identity in addition to your password, which is the core of EK 1.2.C.3.
MFA combines at least two factor types, such as something you know plus something you have, so a stolen password alone isn't enough.
A one-time code sent to your phone is the most common MFA example you'll see on the exam.
MFA is the direct defense against online password attacks and dictionary attacks covered in topic 1.2.
The CED pairs MFA with a password manager as the two-part recipe for strong authentication.
It's a security method that requires extra proof of identity, like a one-time code, on top of your password (EK 1.2.C.3). It lives in Unit 1, topic 1.2, and is the recommended defense against password attacks.
No. A one-time password (OTP) is just one possible second factor, the temporary code you receive. MFA is the overall method that adds that second factor to your password. MFA can also use a fingerprint or a hardware key instead of an OTP.
No. The CED still wants long, random, unique passwords (EK 1.2.C.1) AND MFA when available. MFA is an extra layer, not a replacement, because the password is still your first factor.
In an online password attack, adversaries try stolen or guessed passwords (EK 1.2.A.1). Even if they get the password right, they can't supply the second factor like a code on your phone, so the login fails.
A user enters their password, then receives a one-time code on their phone before getting in. That two-step process is multifactor authentication, with the code serving as the second factor.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.