Learn about the acceptable multifactor authentication methods for logging into systems containing personal data, as advised by a privacy engineer. Understand why using a smart card and mobile device verification code is the best option compared to other methods like biometrics, PINs, passwords, and security questions.
Table of Contents
Question
A privacy engineer advises that multifactor authentication be used to log into a system containing personal data. Which of the following would be acceptable?
A. Fingerprint scanning and then iris scanning.
B. Facial recognition and then entering a PIN.
C. Plugging in a smart card and then verifying a code sent to a mobile device.
D. Entering a password and then answering a security question tied to the person.
Answer
C. Plugging in a smart card and then verifying a code sent to a mobile device.
Explanation
The most acceptable multifactor authentication method advised by the privacy engineer is plugging in a smart card and then verifying a code sent to a mobile device (Option C).
This method uses two separate factors:
- Something you have (the smart card)
- Something you know (the verification code sent to your mobile device)
Using two distinct categories of authentication factors provides strong security. The smart card is a physical token that must be in the user’s possession. The mobile device verification code is a one-time password sent through a separate channel that the user must access. Together, these make it extremely difficult for an unauthorized person to gain access, as they would need to steal both the smart card and mobile device.
In contrast, the other options have weaknesses:
A. Fingerprint and iris scanning are both biometric factors. Using two biometric factors is weaker than using two separate categories of factors. If the biometric data is stolen, the attacker could potentially spoof both factors.
B. Facial recognition and a PIN are better than two biometrics since a PIN is a knowledge factor. However, facial recognition data could be stolen and a single PIN may be easier to guess or steal than a one-time code.
D. A password and security question are both knowledge factors. Using a second knowledge factor is weaker than using two distinct categories. Security questions often have easily guessable answers that an attacker could research.
Therefore, the smart card and mobile verification code combination is the strongest multifactor authentication method of the options presented. It provides the best protection for the personal data in the system.
IAPP CIPT certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IAPP CIPT exam and earn IAPP CIPT certification.