====== MFA (Multi-Factor Authentication) ======

**What it is:** A login security method that requires **two or more factors**.

**What it’s for:**
  * Protect IAM users from password theft.
  * Add stronger security for sensitive actions (can be enforced via IAM policy conditions).

**Common MFA factors:**
  * **Something you know**: password
  * **Something you have**: authenticator app / hardware token
  * **Something you are**: biometrics

**Key ideas:**
  * MFA is commonly enabled for IAM users (console access).
  * You can require MFA for specific actions using policy *conditions*.

**Exam cues:**
  * “secure root account” → enable MFA.
  * “require MFA for deleting S3 buckets / changing IAM” → policy condition `aws:MultiFactorAuthPresent`.

**Hard words (English + IPA + Vietnamese meaning):**
  * *multi-factor* /ˌmʌlti ˈfæktər/: đa yếu tố
  * *authentication* /ɔːˌθentɪˈkeɪʃn/: xác thực
  * *biometrics* /ˌbaɪoʊˈmetrɪks/: sinh trắc học
  * *condition* /kənˈdɪʃn/: điều kiện