Two-factor authentication requires two of the three methods. Which statement is true?

• A. Using the same method twice counts as two factors.
• B. Two factors must come from different categories.
• C. Two different methods from the three categories must be used.
• D. It can be achieved with a single biometric factor.

Answer: (C)

Two-factor authentication requires proving your identity using two distinct kinds of evidence drawn from the three authentication categories: something you know, something you have, and something you are. The statement that two different methods from those three categories must be used is the best description because it enforces using two separate categories, not two methods from the same category. For example, a password (something you know) paired with a hardware token (something you have) satisfies two factors from different categories. Relying on two passwords or two biometric checks would still come from a single category and would not meet the two-factor requirement. A single biometric by itself is only one factor, so it isn’t sufficient.