Objective 2.1: Summarize various security measures and their purposes

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Summarize. The candidate must recognize physical security controls, logical security controls, authentication methods, and identity/access management concepts.

What this objective tests

You should be able to identify the physical, logical, and access controls that protect IT environments, recognize authentication methods (including MFA factors), and name the categories of identity and access management used in modern organizations.

Key facts

Bollards:

• Short vertical posts (concrete, steel, plastic) that block vehicles from getting too close to a building or door.
• Physical security against vehicle ramming or accidental impact.

Access control vestibule (mantrap):

• Two-door entryway where only one door can be open at a time.
• Prevents tailgating; an authorized person can't bring an unauthorized person through.

Badge reader:

• Card or fob reader at doors. Validates the credential against an access control system before unlocking.

Video surveillance:

• CCTV cameras for monitoring and recording activity. Deterrent and forensic evidence.

Alarm systems:

• Intrusion detection and notification. Triggered by door contacts, glass break sensors, motion.

Motion sensors:

• Detect movement in monitored areas. Trigger alarms, lights, or cameras.

Door locks:

• Mechanical, electronic, or smart locks. Keys, codes, fobs, biometrics, or app-based unlock.

Equipment locks:

• Kensington locks (cable locks) for laptops, equipment cages for servers, locked racks for switches.

Security guards:

• Human presence for monitoring and response. More expensive but more flexible than automated controls.

Fences:

• Perimeter physical barrier. Combined with gates, lighting, and cameras.

Key fobs:

• Small RFID/NFC tokens carried on keychains. Tap to badge readers.

Smart cards:

• ID-card-sized credential with embedded chip. Contact (insert) or contactless (tap). Used for door access and computer login (Windows smart-card logon, PIV/CAC in government).

Mobile digital key:

• Phone-based credential that replaces physical badge. Apple Wallet, Google Wallet, or vendor-specific apps store the credential.

Keys (physical):

• Traditional metal keys. Cheap, no battery, can't be revoked without rekeying.

Biometrics:

• Authentication based on physical/behavioral traits. Hard to share but tricky to reset if compromised.

Retina scanner:

• Scans the retinal blood vessel pattern. Very accurate but requires close eye placement.

Fingerprint scanner:

• Reads the fingertip ridge pattern. Common on laptops and phones.

Palm print scanner:

• Reads palm geometry/vein pattern. Less common but used in some high-security contexts.

Facial recognition technology (FRT):

• Camera + software identifies face. Windows Hello, Apple Face ID, security cameras with FRT.

Voice recognition technology:

• Identifies user by voice characteristics. Used in phone authentication and some smart speakers.

Lighting:

• Well-lit perimeters deter intrusion and aid camera coverage.

Magnetometers:

• Metal detectors at entry points. Detect concealed metallic objects.

Principle of least privilege:

• Users and processes get only the minimum permissions needed to do their job. Reduces blast radius of any single compromise.

Zero Trust model:

• "Never trust, always verify." No implicit trust based on network location. Every access request authenticated and authorized.
• Replaces older "trust the LAN, distrust the Internet" model.

Access control lists (ACLs):

• Lists that define which users/groups can perform which actions on which resources.
• File system ACLs (NTFS), network ACLs (firewall, router), application ACLs.

Multifactor authentication (MFA):

• Authentication using two or more factor types from: something you know (password, PIN), something you have (token, phone), something you are (biometric).
• The minimum modern security baseline for any account that matters.

Email MFA:

• One-time code sent to email. Weakest MFA because email itself is often the recovery channel. Better than nothing, worse than the others.

Hardware token MFA:

• Dedicated physical device (YubiKey, RSA SecurID, smart card) generates or presents the second factor.
• Strongest MFA in common use. Phishing-resistant when FIDO2/WebAuthn.

Authenticator application MFA:

• TOTP code from an app (Microsoft Authenticator, Google Authenticator, Authy, Duo).
• Strong, widely available, phone-based.

SMS (text message) MFA:

• One-time code via text. Better than nothing; vulnerable to SIM swap attacks.
• NIST has deprecated SMS as a strong factor but it's still widely used.

Voice call MFA:

• Automated call reads out a code. Same SIM-swap concerns as SMS.

Time-based one-time password (TOTP):

• 6-digit code that rotates every 30 seconds, derived from a shared secret and the current time.
• The mechanism behind authenticator apps.

One-time password / passcode (OTP):

• Single-use code. Includes TOTP and HOTP (counter-based).

Security Assertions Markup Language (SAML):

• XML-based protocol for federated identity. Identity provider asserts user identity to a service provider via signed XML.
• Common for SSO between on-prem identity and cloud apps.

Single sign-on (SSO):

• User signs in once and accesses many apps without re-entering credentials.
• Implemented via SAML, OAuth, OpenID Connect, Kerberos.

Just-in-time access:

• Elevated permissions granted only for the duration needed, automatically revoked after.
• Reduces standing privilege.

Privileged access management (PAM):

• System for managing, monitoring, and auditing privileged accounts (root, admin, service accounts).
• Vaults credentials, brokers access, records sessions.

Mobile device management (MDM):

• Centralized control over phones and tablets. Enforce passcodes, push apps, remote wipe, restrict features.
• Microsoft Intune, Jamf, VMware Workspace ONE, Google Endpoint Management.

Data loss prevention (DLP):

• Software that monitors and blocks sensitive data from leaving the organization (email, USB, cloud uploads).
• Detects PII, financial data, source code, etc. based on policies.

Identity access management (IAM):

• Umbrella term for systems that manage identities, authentication, and authorization across the organization.

Directory services:

• Centralized identity database. Active Directory (Microsoft), LDAP, Microsoft Entra ID (cloud), Google Cloud Identity.

Common gotchas

• SMS MFA assumed strong. It's not. Better than no MFA, weaker than app-based or hardware-based.
• Local admin everywhere. Violates least privilege. Standard users, elevated only when needed.
• Implicit network trust. Assuming traffic from the LAN is safe. Zero Trust says authenticate every request regardless of source.
• Biometric reset confusion. Lost a finger? Hard to reset biometrics. Backup factors needed.

Real-world context

For an MSP onboarding a new client:

1. Inventory existing identity (AD, Entra ID, Google Workspace).
2. Enforce MFA on all admin accounts immediately (authenticator app or hardware token, not SMS).
3. Audit local admin rights and remove from regular users.
4. Verify least privilege on file shares.
5. Enroll mobile devices in MDM.
6. Set up password manager for the team.

Sources

• [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.1](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
• [NIST SP 800-63B: Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)
• [CISA: Zero Trust Maturity Model](https://www.cisa.gov/zero-trust-maturity-model)
• [Wikipedia: Multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication)