CISSP Domain 5: Authentication, MFA & Passkeys

On the CISSP, access-control questions come down to one move: name the step, then match the authentication control to the threat the scenario describes. This Domain 5 deep-dive separates identification from authentication from authorization, walks the full AAA model, and defines what real multi-factor authentication actually is. With Kai, Nova, Fenrir, and Sara, we cover the identity and access management foundations behind 13% of the current exam, and the question-reading habits that turn BEST and MOST scenarios into quick, defensible picks.

In this video:

• Identification vs authentication vs authorization, and the AAA model (the 3rd A is accounting)
• The three classic factors (know, have, are) plus location and behavior
• Why two passwords are NOT multi-factor authentication, and what truly is
• Biometrics: FAR is the security risk, FRR is the usability cost, and a lower CER wins
• Tuning a high-security biometric: lower the FAR even though false rejects rise
• Passwordless done right: FIDO2, WebAuthn, passkeys, and why they beat SMS codes against phishing

The next video in the series moves into authorization models and the access control schemes that decide what a proven identity may actually reach. Anchored to the (ISC)2 CISSP Detailed Content Outline effective April 15, 2024.

▶ Watch next: CISSP Domain 5: SSO, SAML, OAuth, OIDC & Kerberos https://www.youtube.com/watch?v=iV4Tx1fA2Hc

📺 Full playlist: CISSP (2026) v2 https://www.youtube.com/playlist?list=PLlIAFxS2964_K3g6WysWnLpifoxilduGi