Which of the following offers the highest assurance of a user's identity?

A. Username and Password
B. Smart Card
C. Biometric Authentication
D. CAPTCHA

Answer: C. Biometric Authentication
Explanation:

Question: Which of the following offers the highest assurance of a user's identity?

• A. Username and Password

• B. Smart Card

• C. Biometric Authentication

• D. CAPTCHA

Correct Answer: C. Biometric Authentication

Understanding the Levels of Identity Assurance

In cybersecurity, "Assurance" refers to the level of confidence we have that a person is who they claim to be. We verify this through different "factors" of authentication. The more unique and non-transferable the factor, the higher the assurance.

1. Biometric Authentication (The "Something You Are" Factor)

Biometric authentication uses unique physical or behavioral characteristics to verify identity. Because these traits are biologically bound to the individual, they offer the highest level of assurance.

• Why it wins: Unlike a password (which can be shared) or a smart card (which can be stolen), your iris pattern or fingerprint is inherently yours. It is much harder to "forge" a biometric than it is to steal a token.

• CISSP Examples: Fingerprint scanners, Iris/Retina recognition, Facial geometry, and Voice patterns.

• Note for the Exam: While Biometrics offer high assurance, they also raise privacy concerns and can suffer from "Type I" (False Rejection) or "Type II" (False Acceptance) errors.

2. Smart Card (The "Something You Have" Factor)

A Smart Card is a physical token, often containing a chip (like a CAC or PIV card).

• The Weakness: While more secure than a password, it only proves that the object is present. If an attacker steals a smart card that doesn't require a PIN (MFA), they can impersonate the user perfectly. It lacks the biological "binding" found in biometrics.

3. Username and Password (The "Something You Know" Factor)

This is the most common but weakest form of authentication.

• The Weakness: Knowledge is easily transferable. Passwords can be phished, guessed via brute force, or bought on the dark web. In a CISSP scenario, "Something You Know" is almost always the answer when asked for the least secure method.

4. CAPTCHA (The "Are You a Bot?" Control)

It is vital to distinguish between Authentication and Anti-Automation.

• The Purpose: CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is designed to stop bots from spamming forms or brute-forcing logins.

• Identity Assurance: It provides zero identity assurance. A CAPTCHA cannot tell if a human is Alice, Bob, or a malicious hacker; it only knows that the user is not a computer program.