Authentication Methods and Technologies: Something You Know, Have, and Are

Title

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Authentication Methods and Technologies: Something You Know, Have, and Are

Hook / Why this matters

Most modern breaches start with a valid login. Attackers do not need to exploit a buffer overflow if they can trick a user into handing over a password. Understanding authentication factors and technologies lets you raise the bar so that a stolen password is not enough to get in.

Core concept explained simply

Authentication answers a single question: "Are you really who you claim to be". It does this by requiring evidence from one or more of three factor types:

• Something you know such as a password or PIN
• Something you have such as a hardware token or phone
• Something you are such as a fingerprint or face

The strength of authentication depends on both the factor type and how it is implemented.

Passwords and knowledge based factors

Passwords remain the most common authentication method. For security, they need:

• Adequate length, which provides entropy and makes brute force harder
• Proper storage, using salted hashing so that a database breach does not reveal the original passwords
• Defenses against credential stuffing and password spraying, such as rate limiting and account lockout

Traditional complexity rules like "mix upper, lower, number, symbol" matter less than length and uniqueness. Modern guidance favors longer passphrases and checking against known breached password lists.

Knowledge factors also include security questions and PINs. These are often weaker because answers can be guessed or researched.

Possession factors

Possession factors prove you have a specific device or token. Examples include:

• Hardware one time password tokens
• Mobile app authenticators that generate time based one time passwords
• Smart cards with embedded cryptographic keys
• FIDO2 security keys that perform cryptographic authentication in hardware

For these to be strong, the token must be resistant to cloning, and the system must bind the token to the specific user.

Inherence factors and biometrics

Inherence factors rely on traits of the user, for example fingerprints, facial recognition, iris scans, or voice patterns.

Biometric systems are evaluated using:

• False Acceptance Rate (FAR): how often someone is wrongly accepted
• False Rejection Rate (FRR): how often a valid user is rejected
• Crossover Error Rate (CER): the point where FAR and FRR are equal, which provides a single measure of system accuracy

Biometrics are convenient, but once compromised they cannot be changed. They are often used as one factor in multi factor schemes rather than as a standalone solution for high risk access.

Multi factor authentication

Multi factor authentication combines two or more factor types. The key is that they must be different types, not just multiple passwords.

Correct examples of true MFA:

• Password plus a one time code from a hardware token
• Smart card plus a PIN
• Password plus fingerprint scan

Incorrect examples that are not true MFA:

• Password plus security questions
• Two different passwords

Both of these use knowledge factors only.

One time passwords and delivery methods

One time passwords (OTPs) are codes valid for a short time or a single use. Common forms are:

• HOTP: counter based
• TOTP: time based, as seen in many authenticator apps

Delivery matters for security

• SMS based OTPs are easy to deploy but susceptible to SIM swap and interception
• App based OTPs and hardware tokens are more resistant to attacks

Modern authentication: FIDO2 and WebAuthn

FIDO2 and WebAuthn enable strong authentication without passwords. The user proves possession of a private key stored in secure hardware, such as a security key or device secure enclave.

Benefits include:

• Protection against phishing, since keys are bound to a specific origin
• No shared secrets on the server that can be reused elsewhere
• Good user experience once enrolled

These technologies are increasingly used for high value accounts and administrative access.

Context aware and risk adaptive authentication

Authentication strength can adapt based on context, such as location, device health, time of day, or behavioral patterns. For example, a login from a known device during office hours might require only one factor, while a login from a new country might trigger mandatory MFA.

CISSP lens

For the CISSP, you need to:

• Recall the three authentication factor types and be able to classify examples
• Understand that true MFA requires different factor types, not multiple instances of the same type
• Know biometric metrics, especially FAR, FRR, and CER, and how tightening thresholds affects each
• Recognize the weaknesses of SMS based codes and knowledge based authentication
• Be familiar with high level properties of FIDO2 and smart card based authentication

Exam questions often describe a scenario and ask you to choose the most appropriate authentication method based on risk, usability, and cost. The best answer balances these factors rather than always selecting the strongest possible control.

Real world scenario

A financial services company allowed VPN access using a username and password only. Attackers obtained a dump of usernames and passwords from a third party breach and used credential stuffing to try those credentials against the VPN.

Several reused passwords worked. The attackers logged in, moved laterally, and accessed sensitive customer data before being detected.

In response, the company:

• Enforced multi factor authentication for VPN, administrative access, and critical internal applications
• Implemented breach password checking, preventing users from setting passwords found in known dumps
• Piloted FIDO2 security keys for administrators and high risk roles, then expanded them after good results
• Added anomaly detection to flag logins from unusual locations or devices

Subsequent credential stuffing attempts failed because stolen passwords alone no longer granted access.

Common mistakes and misconceptions

• Calling two passwords two factor. Two knowledge based secrets do not create MFA.
• Relying on SMS codes for high risk accounts. SIM swap and SS7 weaknesses make SMS inappropriate for admin or financial access.
• Ignoring biometric error rates. Setting thresholds without considering FAR and FRR leads to either too many false accepts or frustrated users.
• Storing passwords improperly. Plaintext or unsalted hashes make any breach catastrophic.
• Implementing MFA only for external access. Internal privileged operations often remain vulnerable.

Actionable checklist

• Classify the factor type for every authentication method your organization uses and identify where you truly have MFA.
• Require MFA for remote access, privileged accounts, and access to highly sensitive data.
• Review how passwords are stored. Confirm the use of modern salted hashing algorithms and unique salts per user.
• Reduce dependence on SMS based OTPs. Prioritize app based authenticators or hardware tokens for high value users.
• Document acceptable FAR and FRR ranges for biometric systems and review them with both security and usability stakeholders.
• Pilot FIDO2 or smart card based authentication for administrators, then expand if results are positive.
• Implement risk based policies that trigger stronger authentication when context changes or risk increases.

Key takeaways

• Authentication verifies identity using something you know, have, or are. True MFA requires combining different factor types.
• Passwords remain common but must be handled carefully, with proper storage and checks against breached password lists.
• Biometrics offer convenience, but error rates and irreversibility require careful design and policy.
• Modern approaches like FIDO2 provide strong, phishing resistant authentication and reduce reliance on shared secrets.
• Matching authentication strength to risk is central to both good security practice and CISSP thinking.

Optional exam style reflection question

Question: A system uses a password plus a one time code sent by SMS as its second factor. The organization wants to reduce the risk of account takeover for administrators. What change provides the most effective improvement

Answer: Replace SMS based codes for administrators with a stronger possession factor, such as hardware security keys using FIDO2 or app based authenticators on managed devices. This reduces exposure to SIM swap and message interception while keeping multi factor authentication in place.