Lesson Notes
MFA
Module 1: Foundations. Pure theory—multi-factor authentication: something you know, have, and are; TOTP, hardware keys, SMS pros/cons; how MFA blocks credential theft and brute-force. Builds on social engineering and first line of defence.
Module 1: Foundations — MFA
This lesson is pure theory—no labs or commands. Multi-factor authentication (MFA) adds a second (or more) factor so that a stolen or guessed password is not enough. It is one of the most effective defences against credential theft and brute-force.
1. Core Principle: Something You Know + Something You Have or Are
MFA requires two or more factors: typically “something you know” (password or PIN), plus “something you have” (phone, hardware key, app) or “something you are” (fingerprint, face). Even if an attacker gets your password (phishing, leak, MITM), they still need the second factor. That is why MFA blocks the vast majority of account takeovers in practice (e.g. Microsoft and other studies).
2. Factor Types and Trade-offs
Knowledge: password, PIN—easy to use but vulnerable to phishing and keyloggers. Possession: TOTP apps (Google Authenticator, Authy), SMS codes, hardware keys (YubiKey). TOTP is strong; SMS is weak (SIM swap, interception). Hardware keys resist phishing well. Inherence: fingerprint, Face ID—convenient but can be spoofed in some scenarios. Location (geofencing) is sometimes used as an additional signal. For most users, TOTP or a hardware key is the recommended second factor.
3. TOTP Mechanics (Time-Based One-Time Password)
A shared secret is set up between the service and your app (e.g. via QR code). The app and server both compute a 6-digit code from that secret and the current time, in 30-second windows, using HMAC-SHA1. The code changes every 30 seconds. Even if a phishing site steals your password and a one-time code, the code expires quickly and cannot be reused. Attackers cannot easily brute-force TOTP because of the time window and secret.
4. Attack Resistance and Best Practices
Brute-force on passwords is less effective when MFA is required—the attacker would need the second factor for each account. Phishing that steals a password still needs the second factor; real-time phishing that tries to capture a TOTP code is possible but harder. MFA should be enabled on all sensitive accounts (email, banking, work). In pentesting you will look for missing MFA and recommend it as a high-impact control.
Key Takeaway for Lesson 4
MFA adds a second factor (something you have or are) so that a stolen password is not enough. TOTP and hardware keys are strong options; SMS is weaker. MFA blocks most account takeovers. Next: encryption and how it protects data in transit.