Multifactor authentication (MFA) enhances security by requiring users to provide two or

more verification factors. The question specifies three types of factors:

Something you know: This is typically a secret, such as a password or PIN.

Something you have: This refers to a physical object in your possession, like an

authentication token (e.g., a hardware key fob or a one-time code generating app on a

smartphone).

Something you are: This involves biometric characteristics unique to the individual, such

as a thumbprint, facial scan, or voice recognition.

Option C directly maps to these three categories: a password (know), an authentication

token (have), and a thumbprint (are).

A. Domain name, PKI, GeoIP lookup:

A domain name is an identifier, not primarily an authentication factor for a user.

PKI (Public Key Infrastructure) is a system, and while it can involve "something you have"

(a private key on a smartcard), it's not a factor type itself.

GeoIP lookup is a location-based attribute, not a primary authentication factor a user

actively provides.

B. VPN IP address, company ID, facial structure:

A VPN IP address is network information, not a direct authentication factor provided by

the user.

A company ID could be "something you know" or "something you have" (like an ID

badge), but the option lacks clarity for distinct MFA categories.

While facial structure is "something you are," the other elements don't fit the specified

three distinct categories as well as option C.

D. Company URL, TLS certificate, home address:

A company URL is knowledge but not typically a user authentication secret.

A TLS certificate can be "something you have" for device/client authentication but is not

the common understanding for user MFA in this context.

A home address is personal information ("something you know") but not a standard or

secure authentication factor for this purpose.

National Institute of Standards and Technology (NIST):

NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and

Lifecycle Management.

Section 4, "Authentication Factors": Defines the three factor types: Something You

Know, Something You Have, and Something You Are.

Section 5.1.1, "Memorized Secrets (Something You Know)": Discusses passwords and

PINs.

Section 5.1.2, "Look-Up Secrets (Something You Know)": A pre-shared secret.

Section 5.1.4, "Out-of-Band Devices (Something You Have)": Describes receiving

codes via SMS or push notifications to a pre-registered device.

Section 5.1.5, "Single-Factor OTP Devices (Something You Have)": Refers to

hardware or software authenticators that generate one-time passwords.

Section 5.1.7, "Biometrics (Something You Are)": Discusses fingerprint, facial

recognition, etc.

URL: https://doi.org/10.6028/NIST.SP.800-63b (Specifically, pages 7-10 for factor

definitions, and subsequent sections for examples like passwords (pg 14), OTP devices

(pg 23), and biometrics (pg 28)).

IEEE (Institute of Electrical and Electronics Engineers):

Sasse,

M. A., Brostoff, S., & Weirich,

D. (2001). Transforming the 'weakest link' a

human/computer interaction approach to usable and effective security. BT Technology

Journal, 19(3), 122-131. (While older, it lays foundational concepts often cited).

This article discusses the three classic authentication factors: "something a person

knows (e.g. a password), something a person has (e.g. a smartcard), and something a

person is (e.g. a fingerprint)." (Page 126).

DOI: https://doi.org/10.1023/A:1011915109855

University Courseware (Example - though direct links to PDFs might change,

concept is standard):

Many cybersecurity courses from reputable universities (e.g., MIT OCW, Stanford,

Carnegie Mellon) cover authentication factors. For example, a typical lecture on access

control or authentication would define these three factors.

Example Concept: "Authentication factors include knowledge factors (something you

know, like a password), possession factors (something you have, like a security token),

and inherence factors (something you are, like a fingerprint)." (This is a general

representation of common university course content). Finding a stable, specific page for

this general concept from a courseware site can be difficult, but the NIST SP 800- 63B

is the definitive, stable reference.