LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What does 2FA / MFA add on top of a password, and why does it dramatically reduce account takeover risk?

MFA combines something you know (password) with something you have (phone, key) or are (fingerprint) — so a stolen password alone isn't enough.

MFA combines 2+ of Know (password), Have (OTP/FIDO key), Are (fingerprint/face).

* True MFA combines factors from different categories: Know, Have, Are. *

The three factors:

Factor Examples
Know Password, PIN, security questions
Have Phone (SMS/app), hardware key, smartcard
Are Fingerprint, face, voice

True MFA requires factors from different categories — password + security question is just two "know" factors, not real MFA.

Why it works:

Attackers might phish or brute-force your password, but they probably can't simultaneously steal your phone or your fingerprint. Microsoft research showed MFA blocks 99.9% of automated account takeover attacks.

Strength ranking (weakest → strongest):

  1. SMS codes — vulnerable to SIM swapping
  2. TOTP apps (Authy, Google Authenticator) — better, but phishable
  3. Push notifications — good, but vulnerable to MFA fatigue
  4. FIDO2 / hardware keys (YubiKey, Passkeys) — phishing-proof

Tip: OTP = One-Time Password — a 6-digit code that expires in 30 seconds. Even if intercepted, it's useless after expiry.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 14, 2026