Effective CISSP Questions

You are implementing single-factor authentication. Which of the following is the least effective authentication solution? (Wentz QOTD)
A. Password
B. One-time password token
C. Fingerprint
D. Retina

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Fingerprint.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Attack Points/Vectors on Biometric System
Attack Points/Vectors on Biometric System (Image Credit: Fahad Layth Malallah)

According to the NIST Digital Identity Guidelines, a biometric does not constitute a secret and when employed as a single factor of authentication, does not constitute acceptable secrets for digital authentication, so fingerprint or retina alone is not an effective single-factor authentication solution. Biometrics are unique personal attributes, but most of them are subject to being exposed and hence not secret enough. For example, a person’s fingerprints can be exposed to photos on social media or remain on wine glasses.

However, the retina, unlike the fingerprint, is hard to copy because it is located at the base of the eyeball, near the optic nerve, and IMO, has some extent of secrecy. Based on the property of secrecy and NIST guidelines, we can conclude that the fingerprint is the least effective authentication solution in single-factor authentication.

Retinal Scan

“A retinal scan is a biometric technique that maps the unique patterns of a person’s retina using a low-intensity light source. Through a delicate sensor, a retinal scan examines the pattern of retina blood vessels, which remains unchanged from birth until death. Given the accuracy of its matching capabilities, retinal scan technology is difficult to spoof and is typically deployed in top-level security applications for authentication and identification. With an estimated error rate of just one in ten million, retina recognition technology has been implemented by several US government agencies such as the Federal Bureau of Investigation (FBI)Central Intelligence Agency (CIA), and National Aeronautics and Space Administration (NASA). Nowadays, retinal scanning has also been deployed in a number of applications, including ATM identity verification and prevention of welfare fraud.” (Innovatrics)

“A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels. It is not to be confused with other ocular-based technologies: iris recognition, commonly called an “iris scan”, and eye vein verification that uses scleral veins.” (Wikipedia)

Digital Identity Guidelines

The following is a digest from NIST SP 800-63-3 (Digital Identity Guidelines):

  • Authenticator refers to “something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.” In previous editions of SP 800-63, this was referred to as a token. In this volume, authenticators always contain a secret.
  • The secrets contained in authenticators are based on either public key pairs (asymmetric keys) or shared secrets (symmetric keys). Shared secrets stored on authenticators may be either symmetric keys or memorized secrets (e.g., passwords and PINs), as opposed to the asymmetric keys described above, which subscribers need not share with the verifier.
  • Biometric characteristics are unique personal attributes that can be used to verify the identity of a person who is physically present at the point of verification. They include facial features, fingerprints, iris patterns, voiceprints, and many other characteristics. However, a biometric does not constitute a secret and when employed as a single factor of authentication, does not constitute acceptable secrets for digital authentication. Accordingly, these guidelines (SP 800-63 series) only allow the use of biometrics for authentication when strongly bound to a physical authenticator.


您正在實施單因素身份驗證。 以下哪個是最不有效的身份驗證解決方案? (Wentz QOTD)
A. 密碼 (password)
B. 一次性密碼令牌 (OTP token)
C. 指紋
D. 視網膜

Leave a Reply