A one-page reference. Reread before an exam or before moving on. Dense by design.
The three authentication factors (memorize cold)
Factor
"Something you…"
Examples
Defining weakness
Knowledge
…know
Password, PIN, security question
Can be copied without taking anything (phished, guessed, leaked)
Possession
…have
Hardware key, authenticator app, SIM, smart card
As strong as how possession is proven (a code relays; a signature doesn't)
Inherence
…are
Fingerprint, face, iris, voice
Irrevocable; only as trustworthy as the device that measures it
MFA = factors from different categories. A password + a security question is one factor twice
(both knowledge) — not MFA. Security comes from the independence of the categories.
NIST 800-63 authenticator assurance levels (AAL)
AAL
Meaning
Authenticators
Phishing-resistant?
AAL1
Some confidence
Single factor (e.g., password)
No
AAL2
High confidence (MFA)
Password + TOTP/push; or a passkey
Not necessarily
AAL3
Very high (hardware MFA)
FIDO2/WebAuthn hardware authenticator
Required
Rule: match the AAL to the value/risk of what is protected. Money movement + admin → AAL3.
Password storage (never store the password)
Scheme
Verdict
Why
Plaintext / reversible "encryption"
❌ Critical fail
One breach = every credential exposed
MD5 / SHA1 / unsalted SHA256
❌ Fail
Fast + unsalted → rainbow tables + GPU cracking
Salted fast hash (SHA256(salt+pw))
⚠️ Weak
Salt defeats tables, but still fast to brute-force
bcrypt (per-user salt, real work factor)
✅ OK
Deliberately slow
scrypt / Argon2id
✅✅ Best
Slow and memory-hard (blunts GPU/ASIC); Argon2id preferred
Salt defeats precomputation (rainbow tables); slow/memory-hard hash defeats brute-force speed.
You need both — they counter different attacks.
Salt is not secret; its job is uniqueness. Generate per user; store with the hash.
Password policy — modern NIST (unlearn the old rules)
Do
Don't
Length over complexity; allow ≥64-char passphrases
Mandate composition (must have a symbol)
Force change only on evidence of compromise
Force routine periodic (90-day) expiration
Screen against breached/common-password lists
Trust composition rules to imply strength
Allow paste; encourage password managers
Block paste / block managers
Smart, source/behavior-aware throttling
Blunt "5 strikes → account frozen" (DoS risk)
Entropy: $H = L \times \log_2 N$ bits — only for random choices. Human-chosen passwords have far less
effective entropy than the formula says → breach-screening beats composition rules.
MFA strength ladder (weakest → strongest)
Method
Resists
Vulnerable to
Phishing-resistant?
SMS OTP
No-MFA stuffing
SIM swap, real-time relay/phishing
No
TOTP (authenticator app)
SIM swap, stuffing
Real-time relay/phishing
No
Push (Approve/Deny)
SIM swap, stuffing
Push fatigue, relay
No
Push + number matching + context
+ push fatigue (mostly)
Sophisticated relay
No (better, not resistant)
FIDO2 / WebAuthn / passkey
Phishing, relay (AITM), stuffing, SIM swap
Lost authenticator, weak recovery
YES
Why FIDO2 is phishing-resistant (the two reasons)
No relayable secret — the user produces a signature, not a code; a fake page captures nothing reusable.
Origin binding — the browser binds the signature to the site's real origin; a signature for the
phishing domain is rejected by the real site (and the authenticator holds no key for the look-alike domain).
Private key never leaves the authenticator; the relying party stores only the public key (breaching
it exposes nothing). Passwordless ≠ phishing-resistant (a magic link is passwordless but phishable).
Hardware key (device-bound)
Synced passkey (cloud)
Private key
On the device only; non-exportable
In a cloud credential manager, synced
Recovery
Backup key / recovery flow
Restored from the cloud account
Best for
Crown-jewel accounts (admin, money) — AAL3
Broad workforce/consumer rollout
Caution
Provisioning + backup logistics
Only as strong as the cloud account — harden it
Biometrics
Irrevocable (can't reissue a fingerprint) · probabilistic (FAR/FRR/CER) · only as trustworthy
as the measuring device.
FAR (false accept) ↔ FRR (false reject) trade off with the threshold; CER (where FAR = FRR)
compares systems (lower is better).
Correct use: a local gesture to unlock an on-device key — never a network secret or a central
raw-image database.
Credential attacks — by shape and defense
Attack
Shape (users × passwords × sources)
Lockout catches it?
Decisive defenses
Credential stuffing
many users × 1 leaked pw each × many IPs
Poorly
Breach-screening + MFA; success-rate alerting
Password spraying
many users × few common pws × few IPs
No (under-threshold)
Common-pw screening + cross-account correlation
Brute force
one account × many guesses
Yes
Per-account lockout / throttling + MFA
MFA fatigue / push bombing
one user × many prompts
n/a
Number matching + prompt rate-limit/lockout
ATO detections: impossible travel; MFA-prompt bursts; new-device/new-location authenticator enrollment;
password reset → immediate MFA change; session-token reuse from a new IP.
The unphishable-login paradox
When the login becomes phishing-resistant, attackers attack the account-recovery / help-desk path
instead. Secure re-authentication, not just authentication: strong recovery verification, second-person
approval for high tiers, cool-downs, backup keys as the primary recovery path, and an alert on every
high-tier authenticator change.
Certification crosswalk
Concept
CompTIA Security+
(ISC)² CISSP domain
Authentication factors; MFA
4.0 Security Operations; 1.0 General Concepts
Identity & Access Management (IAM)
Password storage (hash/salt/work factor)
1.0 General Concepts (crypto); 4.0 Ops
Asset Security; Security Architecture
FIDO2/WebAuthn, passkeys, phishing-resistant MFA
4.0 Security Operations
IAM
Biometrics (FAR/FRR/CER)
4.0 Security Operations
IAM; Security Assessment
Credential stuffing / spraying / MFA fatigue
2.0 Threats, Vulnerabilities & Mitigations
Security Operations; IAM
AAL / identity assurance
5.0 Governance, Risk & Compliance
IAM; Security & Risk Management
Project additions this chapter
Meridian program: the authentication standard — AAL-by-asset-tier (Tier 3 = phishing-resistant
FIDO2 for money movement + admin, no exceptions); Argon2id storage; modern password policy; hardened
account recovery.
bluekit toolkit:authn.py — password_strength(pw) (length + variety + common-password screen)
and breached_prefix(sha1_prefix) (HIBP-style k-anonymity: send only the first 5 hex chars).
Common pitfalls
Calling a second knowledge factor "two-factor" (it isn't — same category twice).
Hashing passwords with a fast/unsalted algorithm, or storing them reversibly.
Trusting composition rules and 90-day rotation (NIST now discourages both); skipping breach-screening.
Deploying hardware keys but leaving a phishable fallback factor also accepted for the same tier.
Confusing passwordless with phishing-resistant.
Using a biometric as a network secret or storing raw biometric images centrally.
Relying on per-account lockout against spraying (it slips under), or as your only guessing defense (DoS risk).
Hardening the login but leaving account recovery / the help desk as a chatty open back door.
We use cookies to improve your experience and show relevant ads. Privacy Policy