Multifactor Authentication and SSO

5 minutes 5 Questions

Multifactor Authentication (MFA) and Single Sign-On (SSO) are critical security concepts covered in the CompTIA Server+ (SK0-005) exam, particularly within the Security and Disaster Recovery domain. **Multifactor Authentication (MFA)** is a security mechanism that requires users to verify their id…

Multifactor Authentication (MFA) and Single Sign-On (SSO) – CompTIA Server+ Guide

Why Multifactor Authentication and SSO Matter

In modern server environments, protecting access to critical systems and data is paramount. Passwords alone are no longer sufficient to defend against sophisticated attacks such as phishing, credential stuffing, and brute-force attempts. Multifactor Authentication (MFA) and Single Sign-On (SSO) are two complementary strategies that strengthen security while managing user convenience. Understanding these concepts is essential for the CompTIA Server+ exam and for real-world server administration.

MFA dramatically reduces the risk of unauthorized access by requiring users to prove their identity through multiple independent verification methods. SSO streamlines the authentication experience by allowing users to authenticate once and gain access to multiple systems, reducing password fatigue and the associated security risks of password reuse.

What Is Multifactor Authentication (MFA)?

Multifactor Authentication requires a user to present two or more distinct types of credentials (factors) before being granted access. These factors are drawn from three primary categories:

1. Something You Know – Knowledge-based factors
- Passwords or passphrases
- PINs (Personal Identification Numbers)
- Security questions

2. Something You Have – Possession-based factors
- Hardware tokens (e.g., RSA SecurID key fobs)
- Smart cards or CAC (Common Access Cards)
- Software tokens or authenticator apps (e.g., Google Authenticator, Microsoft Authenticator)
- One-time passwords (OTP) sent via SMS or email
- FIDO2/U2F security keys (e.g., YubiKey)

3. Something You Are – Inherence-based (biometric) factors
- Fingerprint scanners
- Retina or iris scans
- Facial recognition
- Voice recognition

Additional factors sometimes referenced:
- Somewhere You Are – Geolocation or IP-based restrictions
- Something You Do – Behavioral biometrics such as typing patterns or gait analysis

Important distinction: Using two factors from the same category (e.g., a password and a PIN) is not considered true multifactor authentication. This is sometimes called multi-step authentication but does not provide the layered security of MFA. True MFA requires factors from different categories.

How MFA Works

1. A user initiates a login by entering their username and password (something they know).
2. The authentication system validates the first factor and then prompts for a second factor.
3. The user provides the second factor, such as entering a time-based one-time password (TOTP) from an authenticator app (something they have) or scanning a fingerprint (something they are).
4. The system validates the second factor. If both factors are verified, access is granted.
5. If either factor fails, access is denied.

This layered approach ensures that even if one factor is compromised (e.g., a stolen password), the attacker still cannot gain access without the additional factor.

What Is Single Sign-On (SSO)?

Single Sign-On is an authentication mechanism that allows a user to log in once with a single set of credentials and then access multiple applications, systems, or services without being prompted to authenticate again for each one.

Key Characteristics of SSO:
- Centralizes authentication to a single identity provider (IdP)
- Reduces the number of passwords users must remember
- Decreases help desk calls related to password resets
- Improves user productivity and experience
- Enables centralized access management and auditing

How SSO Works

SSO relies on a trust relationship between service providers (the applications/resources) and an identity provider (IdP). Common protocols and standards used to implement SSO include:

1. LDAP (Lightweight Directory Access Protocol)
- Often used with Active Directory in Windows environments
- Provides a centralized directory for user authentication

2. SAML (Security Assertion Markup Language)
- An XML-based open standard for exchanging authentication and authorization data
- Commonly used for web-based SSO between an IdP and service providers
- The IdP generates a SAML assertion (a security token) that the service provider trusts

3. OAuth 2.0 and OpenID Connect (OIDC)
- OAuth 2.0 handles authorization (what resources you can access)
- OpenID Connect builds on OAuth 2.0 to add authentication (who you are)
- Widely used for cloud-based and modern web applications

4. Kerberos
- A network authentication protocol used in Active Directory environments
- Uses tickets (Ticket Granting Ticket and Service Tickets) issued by a Key Distribution Center (KDC)
- After initial authentication, the user receives a TGT that is presented to obtain service tickets for various resources without re-entering credentials

Typical SSO Flow (SAML-based):
1. User attempts to access a service provider (e.g., a web application).
2. The service provider redirects the user to the identity provider (IdP) for authentication.
3. The user authenticates with the IdP (potentially using MFA).
4. The IdP generates a SAML token/assertion confirming the user's identity.
5. The token is sent back to the service provider.
6. The service provider validates the token and grants access.
7. For subsequent service provider access, the existing session/token is reused without re-authentication.

MFA and SSO Working Together

MFA and SSO are not mutually exclusive; in fact, they are frequently combined for optimal security and usability:
- SSO reduces the number of times a user must authenticate
- MFA strengthens that single authentication event
- Together, they provide strong security at the point of login while maintaining a seamless user experience across multiple systems

For example, a user logs into the corporate SSO portal using their password and a push notification on their phone (MFA). Once authenticated, they can access email, file servers, HR systems, and cloud applications without additional login prompts.

Benefits and Risks

Benefits of MFA:
- Significantly reduces risk of compromised accounts
- Protects against phishing, credential theft, and brute-force attacks
- Meets regulatory and compliance requirements (HIPAA, PCI-DSS, etc.)

Benefits of SSO:
- Improved user experience and productivity
- Reduced password fatigue and reuse
- Centralized access control and auditing
- Simplified account provisioning and deprovisioning

Risks and Considerations:
- SSO single point of failure: If the IdP is compromised, all connected systems may be at risk. This is why combining SSO with MFA is critical.
- MFA can be bypassed in certain scenarios (e.g., SIM swapping for SMS-based OTP). Hardware tokens and authenticator apps are more secure than SMS-based codes.
- SSO session hijacking: If an SSO session token is stolen, the attacker could access all linked services. Proper session management, token expiration, and encryption mitigate this risk.

Server+ Relevant Implementation Considerations

- RADIUS and TACACS+: These are AAA (Authentication, Authorization, and Accounting) protocols commonly used to centralize authentication for network devices and servers. They can integrate with MFA solutions.
- Active Directory (AD) and LDAP: Central to SSO in enterprise environments. AD supports Kerberos-based SSO natively.
- Certificate-based authentication: Smart cards and digital certificates serve as the something you have factor in MFA implementations for server access.
- Remote access: VPN and remote server management tools should enforce MFA to protect against unauthorized remote access.
- Privileged Access Management (PAM): Administrative and root-level accounts on servers should always require MFA.

Exam Tips: Answering Questions on Multifactor Authentication and SSO

1. Know the three primary factor categories cold.
The exam will test whether you can correctly identify which category a given credential belongs to. Remember: Something you know (passwords, PINs), Something you have (tokens, smart cards, phones), and Something you are (biometrics). If a question asks about true MFA, the answer must involve factors from at least two different categories.

2. Distinguish MFA from multi-step authentication.
A password plus a security question is NOT MFA because both are something you know. If an exam question presents this scenario, it is a distractor. True MFA crosses category boundaries.

3. Understand SSO protocols at a high level.
You may see questions about SAML, Kerberos, LDAP, or OAuth/OIDC. Know that SAML is commonly used for web-based SSO, Kerberos is the native protocol in Active Directory environments, and LDAP is the directory access protocol. You do not need to know the deep technical internals, but you should recognize which protocol fits which scenario.

4. Remember the SSO single point of failure risk.
If the exam asks about a disadvantage or risk of SSO, the most likely correct answer involves the single point of failure concern—if the identity provider is compromised, all connected resources are at risk.

5. MFA + SSO is a best practice.
If a question asks how to improve security while maintaining user convenience, look for the answer that combines MFA with SSO. This is the industry-recommended approach.

6. Watch for scenario-based questions.
The exam may describe a situation (e.g., a server admin needs to secure remote access to critical servers) and ask which solution to implement. MFA is almost always the correct answer when the question focuses on strengthening authentication. SSO is the answer when the question focuses on reducing authentication friction or centralizing access management.

7. Know common MFA methods and their relative security.
Hardware tokens and authenticator apps are more secure than SMS-based OTPs. Biometrics are strong but raise privacy concerns. If a question asks about the most secure second factor, lean toward hardware tokens or biometrics over SMS.

8. Remember AAA protocols.
RADIUS and TACACS+ are relevant to centralized authentication on servers and network devices. TACACS+ encrypts the entire payload (more secure), while RADIUS only encrypts the password. Both can work with MFA and SSO architectures.

9. Eliminate wrong answers systematically.
For MFA questions, immediately eliminate any option that uses two factors from the same category. For SSO questions, eliminate answers that suggest users must authenticate separately for each resource.

10. Think about compliance and best practices.
Many regulations (HIPAA, PCI-DSS, SOX) require or strongly recommend MFA for accessing sensitive systems. If a question involves compliance, MFA is typically a required component of the correct answer.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

CompTIA Server+ (SK0-005) + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
1710 Superior-grade CompTIA Server+ (SK0-005) practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
Server+: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Multifactor Authentication and SSO questions

30 questions (total)

Start 30 question test