Which of the following is NOT a common method for authenticating a user?

A. Something You Know
B. Something You Are
C. Somewhere You Are
D. Something You Have

Answer: C

Explanation:

A. Something You Know (Knowledge Factor)

This is the most common and least expensive form of authentication.

• The Mechanism: It relies on information the user has memorized.

• Examples: Passwords, PINs, or the answer to a "secret question."

• The Risk: It is the most vulnerable to social engineering and brute-force attacks.

B. Something You Are (Inherence Factor)

This refers to Biometrics—physical or behavioral characteristics unique to an individual.

• The Mechanism: It involves scanning a part of the body or measuring a behavior.

• Examples: Fingerprints, retina/iris scans, facial recognition, or voice patterns.

• The Goal: To provide high assurance that the person present is the authorized user.

C. Somewhere You Are (Location Factor)

This is an Attribute or Contextual Factor, but it is generally excluded from the "Standard Three."

• Why it's the Answer: In the classic CISSP curriculum, authentication is defined by the three factors above. While Geolocation (IP address, GPS) is frequently used today to block suspicious logins (e.g., a login from a different country), it is technically a supplemental check rather than a core authentication factor.

• The Nuance: Some modern frameworks add "Somewhere You Are" and "Something You Do" (behavioral biometrics) as 4th and 5th factors, but for the exam, stick to the "Big Three."

D. Something You Have (Possession Factor)

This requires the user to physically possess an object.

• The Mechanism: A physical or digital "token" that proves identity.

• Examples: Smart cards, hardware tokens (RSA SecurID), or a temporary code (OTP) sent to a mobile phone via an app like Google Authenticator.