What's the weakest form of authentication among these?

A.  Something you are

B.  Something you know

C.  Something you do

D.  Something you have

Correct Answer:  C

A. Something You Are (Biometrics)
This factor refers to physical or physiological characteristics unique to an individual, such as fingerprints, retina scans, iris patterns, or facial recognition.

The Strength: Because these traits are inherent to the person, they are extremely difficult to "lose" or "share" compared to a password or a physical key.

The Complexity: While strong, biometrics are not perfect; they rely on Type I and Type II error rates (False Rejection vs. False Acceptance). However, from a purely technical standpoint, "who you are" is significantly harder to spoof than behavioral patterns.

B. Something You Know (Knowledge-Based)
This is the most common form of authentication, involving information that a user memorizes, such as passwords, PINs, or the answers to security questions.

The Vulnerability: Passwords can be guessed, social-engineered, or cracked via brute force.

The Status: Despite its flaws, it remains a standard because it is inexpensive to implement. In the hierarchy of authentication, a "strong" password (high entropy) is generally more reliable for consistent access control than behavioral dynamics, which can change based on the user's environment.

C. Something You Do (Behavioral Biometrics)
This factor focuses on behavioral patterns, such as your typing speed (keystroke dynamics), the way you move a mouse, or even your gait (the way you walk).

Why it's the Answer: "Something you do" is considered the weakest because it has the highest rate of variability. If a user is tired, injured, stressed, or using a different keyboard, their "signature" behavior changes significantly.

The Reliability Gap: Because behavioral patterns are so fluid, systems must often lower their sensitivity to avoid locking out legitimate users. This lower sensitivity creates a larger window for attackers to mimic the behavior, making it less robust than static factors like a fingerprint or a hardware token.

D. Something You Have (Possession-Based)
This refers to a physical object that a user must possess to gain access, such as a hardware token (YubiKey), a smart card, or a one-time password (OTP) sent to a mobile device.

The Logic: This is a strong factor because an attacker must physically steal the object to impersonate the user.

The Limitation: The primary risk is loss or theft of the device. However, when paired with another factor (like a PIN), it creates a very high barrier to entry.

Key Takeaway for the CISSP Exam

• Factor Hierarchy: > * Type 1 (Knowledge): Password/PIN.
• Type 2 (Possession): Token/Phone.
• Type 3 (Inherence): Fingerprint/Iris.
• Behavioral (The "Something you do" factor): Often used for Continuous Authentication rather than the initial login because of its lower reliability.