The exam will name an authentication method and ask which factor category it belongs to. The classification is determined by asking one question about the method:
- Is it something memorized or recalled? → Something you know (password, PIN, pattern, security question)
- Is it a physical item you carry or a device you possess? → Something you have (smart card, USB security key, hardware token, software token app, phone for SMS OTP)
- Is it a body characteristic that is measured? → Something you are (fingerprint, iris, retina, voice, face geometry)
- Is it a location that is verified? → Somewhere you are (IP geolocation, GPS, cellular, Wi-Fi triangulation)
The most common classification confusion the exam exploits:
- SMS OTP → something you have (not something you know). The code is received via the phone, not memorized in advance. It requires possession of the registered phone number.
- Software token app (Google Authenticator) → something you have. Requires the registered smartphone device.
- PIN → something you know. Even though it is short, it is memorized. However: a PIN + smart card combination = know + have = MFA.
The exam will ask what is stored in a biometric database or how biometric authentication works. Three wrong answers will be offered:
- “A high-resolution image of the biometric” — wrong. Images are captured during enrollment but not stored. Storing the image would create a different privacy and security problem.
- “A cryptographic hash of the biometric data” — wrong. Biometrics are not hashed like passwords. Hashing would require exact bit-for-bit reproduction at authentication time, which is impossible with biological inputs (fingerprints compress slightly differently each scan).
- “An encrypted template that can be reconstructed into the original biometric” — wrong. Templates are not reversible.
The correct answer: a mathematical representation (or template, or feature set) extracted from the biometric. Key point numbers, distances, angles, and patterns are extracted and stored as a vector of measurements. Authentication compares a new extraction against this stored model.
The cannot-be-changed follow-up: if the exam asks what happens when a biometric database is breached, the answer is that affected users cannot change their biometric. This is unique to the inherence factor and has no equivalent in other factor types.
The exam will describe a scenario where MFA was bypassed and ask why SMS OTP specifically failed. The answer is always SIM swapping, and the stronger alternative is always a hardware token or FIDO2 security key.
The SIM swap scenario pattern:
- Attacker obtains victim's password (phishing, credential stuffing, dark web purchase)
- Attacker contacts the mobile carrier, impersonates the victim, and convinces carrier to port the phone number to a new SIM
- Victim's phone loses service; attacker's phone starts receiving all calls and SMS
- Attacker initiates login, enters victim's password, receives the SMS OTP on their phone, enters it
- Authentication succeeds despite MFA being enabled
Why hardware token and FIDO2 keys resist this:
- Hardware tokens are physical devices that cannot be transferred via a phone call to a carrier
- FIDO2 keys use challenge-response cryptography bound to the physical device AND the specific website domain — no interceptable code is ever transmitted
The exam often presents FAR and FRR with the definitions reversed in the wrong answer choices. The key is to memorize which direction each error goes:
- FAR (False Acceptance Rate): the system accepts someone it should reject. An impostor is falsely accepted. This is the security metric — high FAR = security failure.
- FRR (False Rejection Rate): the system rejects someone it should accept. A legitimate user is falsely rejected. This is the usability metric — high FRR = user frustration.
The trade-off the exam tests:
- Making the biometric scanner more sensitive (stricter match required) → fewer impostors accepted (FAR drops) but more legitimate users rejected (FRR rises)
- Making the scanner less sensitive (looser match) → fewer legitimate users rejected (FRR drops) but more impostors accepted (FAR rises)
- CER = the sensitivity setting where FAR = FRR. Lower CER = better system (same accuracy at a better balance point)
Memory device: FAR = security risk (False Access is given to an attacker). FRR = Frustrating for Real users (Real users are Rejected).