You are evaluating alternatives to the physical access control system of the computer room. Which of the following provides the highest level of security?
A. Press PIN code on the keypad
B. Input Employee ID and password to the keypad
C. Swipe a contact ID card and input the PIN code
D. Input Employee ID first, then scan the fingerprint

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Swipe a contact ID card and input the PIN code.

To swipe a contact ID card and input the PIN code is two-factor authentication. The ID card is an authenticator of something-you-have and the PIN code is a secret, an authenticator of something-you-know.

• To press the PIN code on the keypad is weak because of the lack of accountability.
• To input Employee ID and password to the keypad is one-factor authentication using something-you-know.

Authentication Factor

The three types of authentication factors are something you know, something you have,
and something you are. Every authenticator has one or more authentication factors. (NIST SP 800 63-3)

The more factors used in the authentication process, the higher the security level. There are three authentication factors mentioned in the NIST SP800 63-3: something-you-know, something-you-have, and something-you-are. Others like somewhere-you-are and something-you-do are not standard authentication factors from the perspective of the NIST.

Authenticator

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as a token. (NIST SP 800 63-3)

The authentication nature relies on a subject’s controlling and possessing the authenticator, which contains a secret. A subject confesses its identity to the verifier; it then proves its identity by demonstrating the authenticator’s control and possession, e.g., the username (identity) and password (secret) are commonly used in something-you-know.

One-To-One (1:1) Verification and One-To-Many (1:N) Identification

Employee ID is identity, not secret. To input Employee ID first, then scan the fingerprint is also one-factor authentication using something-you-are. It uses the fingerprint to prove the identity (Employee ID). It’s a weak one-to-one (1:1) verification of biometrics. If the Employee ID is not used, it becomes a one-to-many (1:N) identification.

Reference

• Verification and Identification
• The Difference Between 1:N, 1:1, and 1:Few and Why it Matters in Patient ID
• Defining Patient Verification & Identification in Healthcare

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您正在評估機房門禁的系統的身份驗證方法。 以下哪項提供最高級別的安全性？
A. 按鍵盤上的PIN碼
B. 在鍵盤上輸入員工ID和密碼
C. 刷接觸式的識別卡並輸入PIN碼
D. 先輸入員工ID，然後掃描指紋