Certified Information Privacy Technologist (CIPT) — Question 276

A privacy engineer advises that multifactor authentication be used to log into a system containing personal data. Which of the following would be acceptable?

Answer options

• A. Fingerprint scanning and then iris scanning.
• B. Facial recognition and then entering a PIN.
• C. Plugging in a smart card and then verifying a code sent to a mobile device.
• D. Entering a password and then answering a security question tied to the person.

Correct answer: C

Explanation

Option C is correct because it employs two different factors: something you have (smart card) and something you know (verification code). Options A and B use biometric methods which are considered the same factor, while option D relies on knowledge-based authentication, which is less secure than the combination in option C.