Skip to main content

CompTIA A+

Security Controls

10 min read

If security fails, it’s often because a basic control was skipped. A user didn’t prove who they were, a door was held open, a key event wasn’t recorded, or sensitive pages sat on a printer tray for anyone to read. CompTIA A+ 220-1101 (often written as 1101, and sometimes referenced as 1201 by learners) groups these real workplace habits under Objective 3.7.

In plain terms: user authentication confirms identity before access is granted; badging confirms identity in a building, not just on a device; audit logs are records of actions and events; secured prints keep print jobs hidden until the right person releases them. Together, they form a simple security chain: prove the user, control the space, record activity, and protect the output.

User authentication basics you must know for the A+ exam

Authentication is the step that answers, “Who are you?” before a system answers, “What are you allowed to do?” Authorization comes after, but Objective 3.7 is centered on the identity check that happens first.

In help desk work, authentication shows up everywhere. Users sign in to Windows or macOS, join Wi-Fi, open a ticketing system, or access a cloud app like Microsoft 365. When authentication is weak, attackers don’t need fancy tools. They just sign in as someone else.

A+ questions often test whether you understand what counts as strong identity proof and what does not. Two passwords are not two factors. A password plus a one-time code from a phone app is two factors. A badge that unlocks a door is not the same as a password, but it serves the same purpose in the physical world: it ties access to a verified identity.

The three main authentication factors (and how the exam phrases them)

CompTIA keeps the factors simple, and the exam wording stays consistent:

  • Something you know: a password, passphrase, or PIN.
  • Something you have: a smart card, hardware token, phone authenticator app, or a one-time password (OTP) device.
  • Something you are: fingerprint, face, or other biometric trait.

Multi-factor authentication (MFA) means two different factors, not two items from the same factor. A password plus a security question is still “something you know.” It’s also weak because many answers can be guessed or found.

Work examples make MFA easier to remember:

  • A staff member signs in to a cloud email portal with a password, then approves a prompt in an authenticator app (know + have).
  • A nurse taps a smart card and enters a PIN at a workstation (have + know).
  • An admin signs in to a privileged account with a password and a fingerprint scan (know + are).

You may also see terms like SSO (single sign-on) and federated identity in study materials. For A+, focus on the core idea: the user proves identity once, then a trusted service passes that proof to other apps. The risk is clear too. If the first sign-in is weak, everything behind it is exposed.

Common authentication problems and the safest first fixes

Most authentication tickets are routine, but they still require care. A rushed reset can become an account takeover.

Common problems include locked accounts after too many failed attempts, expired passwords, and OTP codes that won’t match because the device clock is wrong. Users also lose phones and tokens, and smart cards fail because of damaged chips or reader problems.

Safe first fixes follow the same pattern. Verify identity before you change anything. Use approved methods, like calling a known number on file, checking a photo ID in person, or following the organization’s identity script. Don’t accept “I’m locked out and late for a meeting” as proof.

After you verify the user, apply least privilege during recovery. Reset only what you must. If a token is lost, disable it and issue a replacement rather than “temporarily” bypassing MFA for a week. If OTP codes fail, check time sync on the phone and the server side settings, then re-register the account if policy allows. With smart cards, inspect the card, reseat the reader, try another USB port, and confirm the correct drivers are installed.

Document each change in the ticket. Good notes protect the user and the technician, and they support later audit review.

Badging, the physical side of access control

IT security is easier when the building is secure. Badging is how organizations control who enters offices, server rooms, and restricted areas. It also supports accountability. If someone shouldn’t be in a location, a badge system helps prove it.

Badging fits the same security logic as system access. People get access based on roles. A finance staff member may enter accounting areas but not the network closet. A contractor might enter only during business hours. This maps directly to least privilege, but applied to doors instead of files.

A+ also expects you to recognize social engineering risks. Tailgating is a classic example. One person badges in, then another slips through without scanning. When tailgating becomes normal, the badge system turns into a decoration.

Badge types you may see at work (photo ID, RFID, smart cards)

Many workplaces use more than one badge feature at the same time.

A photo ID badge supports visual checks. Security staff and employees can compare the face to the badge, which helps when a badge is stolen.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account