Chapter 98 · Tricks

Multifactor Authentication — Exam Tricks

Four high-yield patterns: classifying any authentication method to its factor category in two seconds, the biometric mathematical representation fact the exam always tests, the SMS OTP SIM-swap weakness, and the FAR/FRR security vs. usability axis.

Trick 1 Four Factor Categories — Classify Any Method in Two Seconds

The exam will name an authentication method and ask which factor category it belongs to. The classification is determined by asking one question about the method:

  • Is it something memorized or recalled?Something you know (password, PIN, pattern, security question)
  • Is it a physical item you carry or a device you possess?Something you have (smart card, USB security key, hardware token, software token app, phone for SMS OTP)
  • Is it a body characteristic that is measured?Something you are (fingerprint, iris, retina, voice, face geometry)
  • Is it a location that is verified?Somewhere you are (IP geolocation, GPS, cellular, Wi-Fi triangulation)

The most common classification confusion the exam exploits:

  • SMS OTP → something you have (not something you know). The code is received via the phone, not memorized in advance. It requires possession of the registered phone number.
  • Software token app (Google Authenticator) → something you have. Requires the registered smartphone device.
  • PIN → something you know. Even though it is short, it is memorized. However: a PIN + smart card combination = know + have = MFA.
Rule: Know = memorized. Have = physical item/device. Are = body measurement. Where = location verified. SMS OTP is "have" not "know" — always.
Trick 2 Biometrics — Mathematical Representation, Not Image or Hash

The exam will ask what is stored in a biometric database or how biometric authentication works. Three wrong answers will be offered:

  • “A high-resolution image of the biometric” — wrong. Images are captured during enrollment but not stored. Storing the image would create a different privacy and security problem.
  • “A cryptographic hash of the biometric data” — wrong. Biometrics are not hashed like passwords. Hashing would require exact bit-for-bit reproduction at authentication time, which is impossible with biological inputs (fingerprints compress slightly differently each scan).
  • “An encrypted template that can be reconstructed into the original biometric” — wrong. Templates are not reversible.

The correct answer: a mathematical representation (or template, or feature set) extracted from the biometric. Key point numbers, distances, angles, and patterns are extracted and stored as a vector of measurements. Authentication compares a new extraction against this stored model.

The cannot-be-changed follow-up: if the exam asks what happens when a biometric database is breached, the answer is that affected users cannot change their biometric. This is unique to the inherence factor and has no equivalent in other factor types.

Rule: Biometrics store mathematical representations (feature extractions), not images, not hashes. If compromised, the biometric cannot be changed. These are always the exam's two biometric fact-check points.
Trick 3 SMS OTP Weakness — SIM Swap = Weakest "Something You Have"

The exam will describe a scenario where MFA was bypassed and ask why SMS OTP specifically failed. The answer is always SIM swapping, and the stronger alternative is always a hardware token or FIDO2 security key.

The SIM swap scenario pattern:

  1. Attacker obtains victim's password (phishing, credential stuffing, dark web purchase)
  2. Attacker contacts the mobile carrier, impersonates the victim, and convinces carrier to port the phone number to a new SIM
  3. Victim's phone loses service; attacker's phone starts receiving all calls and SMS
  4. Attacker initiates login, enters victim's password, receives the SMS OTP on their phone, enters it
  5. Authentication succeeds despite MFA being enabled

Why hardware token and FIDO2 keys resist this:

  • Hardware tokens are physical devices that cannot be transferred via a phone call to a carrier
  • FIDO2 keys use challenge-response cryptography bound to the physical device AND the specific website domain — no interceptable code is ever transmitted
Rule: SMS OTP = weakest "something you have" because phone numbers can be ported (SIM swap). Hardware token or FIDO2 security key = SIM swap resistant. If the exam shows a SIM swap scenario, SMS OTP is the weak factor.
Trick 4 FAR vs. FRR — Security vs. Usability, Not What You Think

The exam often presents FAR and FRR with the definitions reversed in the wrong answer choices. The key is to memorize which direction each error goes:

  • FAR (False Acceptance Rate): the system accepts someone it should reject. An impostor is falsely accepted. This is the security metric — high FAR = security failure.
  • FRR (False Rejection Rate): the system rejects someone it should accept. A legitimate user is falsely rejected. This is the usability metric — high FRR = user frustration.

The trade-off the exam tests:

  • Making the biometric scanner more sensitive (stricter match required) → fewer impostors accepted (FAR drops) but more legitimate users rejected (FRR rises)
  • Making the scanner less sensitive (looser match) → fewer legitimate users rejected (FRR drops) but more impostors accepted (FAR rises)
  • CER = the sensitivity setting where FAR = FRR. Lower CER = better system (same accuracy at a better balance point)

Memory device: FAR = security risk (False Access is given to an attacker). FRR = Frustrating for Real users (Real users are Rejected).

Rule: FAR = security risk (impostor gets in). FRR = usability problem (legitimate user locked out). They trade off against each other. CER = where FAR equals FRR; lower CER = better biometric system.
Practice Scenarios
Scenario A: A company deploys three different authentication methods across departments: (1) employees enter a password and then enter a 6-digit code texted to their registered cell phone; (2) executives use a smart card inserted into a reader plus a 4-digit PIN; (3) warehouse staff scan their fingerprint on a reader and then enter a password on a keypad. For each method: identify the factor categories used, classify whether this is true MFA, and identify the weakest factor in each combination.
Answer: Method 1 (employees with SMS OTP): Factor 1 = password = something you know. Factor 2 = SMS OTP = something you have (requires control of the registered phone number). True MFA: YES — knowledge + possession = two different categories. Weakest factor: the SMS OTP. It can be intercepted via SIM swapping, SS7 protocol attacks, or malware on the phone that reads incoming messages. The password is also a weak factor if reused, but the SMS OTP is the weaker MFA factor specifically. Method 2 (executives with smart card + PIN): Factor 1 = smart card = something you have (physical card with embedded cryptographic keys). Factor 2 = PIN = something you know. True MFA: YES — possession + knowledge = two different categories. Weakest factor: the PIN. PINs are typically short (4-6 digits) and can be shoulder-surfed when executives use readers in public spaces. However, the cryptographic card makes the combination stronger than passwords + SMS. A stolen card without the PIN is unusable; this asymmetry makes smart card + PIN more resilient than typical MFA combinations. Method 3 (warehouse with fingerprint + password): Factor 1 = fingerprint = something you are (biometrics). Factor 2 = password = something you know. True MFA: YES — inherence + knowledge = two different categories. Weakest factor: the fingerprint, but for a different reason than the others. If the biometric database is compromised, warehouse staff cannot change their fingerprints. The password can be changed; the fingerprint cannot. Also, consumer-grade fingerprint readers may have higher FAR than enterprise-grade readers, potentially allowing impostors through with partial fingerprint matches.
Scenario B: A healthcare organization evaluates two biometric options for clinical workstation authentication. System X has FAR = 0.5%, FRR = 0.3%, CER = 0.4%. System Y has FAR = 0.1%, FRR = 2.0%, CER = 0.6%. The hospital has 500 clinical staff who authenticate an average of 8 times per shift. Which system should the hospital choose, and what is the practical impact of each system's error rates on clinical operations and security?
Answer: The hospital should choose System X. Here is why: System X security and usability analysis: FAR of 0.5% means that for every 200 authentication attempts by impostors, 1 would be incorrectly accepted. FRR of 0.3% means that for every 333 legitimate authentication attempts, 1 would be incorrectly rejected. With 500 staff authenticating 8 times per shift = 4,000 legitimate authentication events per shift. At FRR = 0.3%, approximately 12 legitimate authentications per shift would be incorrectly rejected, requiring re-scan or override. CER = 0.4%. System Y security and usability analysis: FAR of 0.1% provides stronger security (fewer impostor acceptances). However, FRR of 2.0% means that for every 50 legitimate authentication attempts, 1 fails. With 4,000 events per shift at 2.0% FRR, approximately 80 incorrect rejections per shift would occur. Clinical staff attempting to access patient information would be rejected 80 times per shift, causing them to abandon the biometric or constantly request overrides. In healthcare, authentication friction during emergencies can directly harm patients. CER = 0.6% (worse overall accuracy than System X despite lower FAR). The correct choice is System X because it has a lower CER (better overall accuracy), an operationally tolerable FRR (12 rejections per shift vs. 80), and the FAR difference (0.5% vs 0.1%) can be mitigated by combining fingerprint authentication with a PIN as a second factor. The hospital should deploy System X as the biometric factor within an MFA system rather than relying on it alone.
Scenario C: A financial institution's fraud team investigates three account takeover incidents from the same week. Incident 1: an attacker who obtained a victim's login credentials called the mobile carrier, claimed to be the victim, and had the victim's number ported to a new SIM. Incident 2: an attacker used a VPN exit node in the same city as the victim to bypass the IP geolocation check during authentication. Incident 3: an attacker cloned a victim's software token seed value by exploiting a malware infection on the victim's Android device. For each incident, identify which authentication factor was defeated, how it was defeated, and recommend a specific stronger control that would have prevented that specific attack.
Answer: Incident 1 — SIM swap bypass of SMS OTP: Factor defeated: something you have (specifically SMS OTP via control of the phone number). Defeat mechanism: SIM swapping allowed the attacker to take control of the phone number without physically stealing the phone. Stronger control: replace SMS OTP with a FIDO2/WebAuthn hardware security key (USB YubiKey or Titan key). Hardware security keys are cryptographically bound to the physical device and use domain-specific challenge-response authentication. No phone number is involved; there is nothing to SIM-swap. Alternatively, use a hardware RSA token (a dedicated physical OTP device) which also cannot be SIM-swapped. Incident 2 — VPN bypass of IP geolocation: Factor defeated: somewhere you are (IP geolocation location factor). Defeat mechanism: a VPN exit node in the target's city made the authentication appear to originate from the expected location. Stronger control: IP geolocation alone is not a reliable authentication factor. Replace or supplement with: (1) device registration — require authentication from a previously registered device with a known device certificate or fingerprint; (2) GPS verification from a trusted mobile application that cannot be easily spoofed via VPN; (3) step-up authentication triggered by any unrecognized device, regardless of IP location. Incident 3 — malware cloning of software token seed: Factor defeated: something you have (software token / TOTP app). Defeat mechanism: malware on the Android device extracted the seed value used by the authenticator app, allowing the attacker to clone the token and generate valid codes independently. Stronger control: use a hardware security token (RSA SecurID physical token) instead of a software authenticator app. Hardware tokens store the seed in tamper-resistant hardware that cannot be read by software running on a general-purpose OS. A malware infection on a computer cannot extract the seed from a hardware token plugged in via USB — the seed never leaves the device. Additionally, harden mobile devices with MDM, prevent unauthorized app installation, and require device health attestation before allowing software token use.