Authentication Methods: MFA, Passwordless, Biometrics, and How CISSP Tests Them

Authentication is the process of verifying that a claimed identity is genuine. For the CISSP exam, authentication is tested at the conceptual level: understanding the categories of authentication factors, the security properties of different authentication methods, biometric performance metrics, and the vulnerabilities of session management. Domain 5 questions about authentication tend to focus on selecting the most appropriate authentication mechanism for a given scenario.

Authentication Factors: The Five Categories

Authentication factors are categorised by what they are based on. The CISSP recognises five factor categories.

Something you know is knowledge-based authentication: passwords, PINs, passphrases, and security questions. Knowledge factors are the most common authentication mechanism and the weakest: passwords can be guessed, cracked, phished, or reused across sites. Security questions provide particularly weak authentication because the answers (mother's maiden name, childhood pet) are often publicly available or easily researched.

Something you have is possession-based authentication: hardware tokens (RSA SecurID, YubiKey), smart cards, mobile devices used for one-time passwords (OTP), and digital certificates stored on hardware. Possession factors are stronger than knowledge factors but can be lost or stolen. If an attacker obtains the physical token, they can authenticate as the token owner.

Something you are is inherence-based authentication: biometrics. Fingerprints, facial recognition, iris scans, voice patterns, and behavioural biometrics. Biometrics are inherently linked to the individual and cannot be forgotten or left at home. However, biometric data, unlike passwords, cannot be changed if compromised — a stolen biometric template is a permanent compromise.

Somewhere you are is location-based authentication: IP geolocation, GPS location, network context. Authenticating from an unusual location (a different country than normal) can trigger additional authentication requirements. Location factors are weak standalone authenticators but valuable as contextual signals in risk-based authentication.