A biometric factor is an authentication factor based on something the user IS, like a fingerprint, face scan, or iris pattern. It's one of the four factor types (alongside knowledge, possession, and location) used to verify a user's identity in AP Cybersecurity Topic 4.2.
A biometric factor is the "something you are" category of authentication. Instead of proving who you are with something you remember (a password) or something you carry (a phone), you prove it with a physical trait: a fingerprint, a face scan, an iris pattern, even your voice.
In the CED, the proof a user gives to identify themselves is called a factor (EK 4.2.C.1). There are four standard types: a knowledge factor (something you know), a possession factor (something you have), a biometric factor (something you are), and a location factor (somewhere you are). The biometric factor is unique because it's tied to your body, not to information or an object that can be handed off, guessed, or stolen the way a password can.
This term lives in Unit 4: Securing Devices, specifically Topic 4.2 Authentication, and it directly supports learning objective AP Cybersecurity 4.2.C, which asks you to determine which type of authentication is being used to verify a user's identity. To hit that objective you have to recognize all four factor types and correctly sort an example into the right one. Biometrics are the factor that's hardest to copy, which is why they show up constantly in multi-factor authentication (MFA) discussions. They also connect to the bigger Unit 4 idea from 4.2.B: if a single password gets compromised and there's no second factor, an attacker gets full access. Adding a biometric factor is one of the protections that breaks that chain.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryKnowledge Factor and Possession Factor (Unit 4)
Biometric is one of three siblings. A password is a knowledge factor, a phone receiving a code is a possession factor, and your fingerprint is a biometric factor. Combine two different types and you've built multi-factor authentication, which is far stronger than any single factor alone.
Password Attacks (Unit 4, Topic 4.2.B)
Online and offline password attacks target knowledge factors because passwords can be guessed or cracked from a stolen database. A biometric factor sidesteps that whole problem since you can't run a dictionary attack against a fingerprint, which is exactly why it's added as a second factor.
Access Control and Authorization (Unit 4)
Authentication proves WHO you are, then access control models like RBAC, MAC, and DAC decide WHAT you're allowed to do. A biometric factor is the front door; access control is everything that happens once you're inside.
Expect biometric factors on multiple-choice questions that hand you a scenario and ask you to identify the factor type. A stem might describe someone unlocking a device with a fingerprint or face scan and ask which authentication factor that demonstrates, and the right answer is biometric ("something you are"). Other questions test whether you can tell the four factors apart, like asking for an example of a knowledge factor versus a biometric one. You may also see MFA scenarios, such as a password plus a phone code, that ask you to explain why combining factors strengthens authentication. Your job is to correctly classify the example and, when asked, explain that mixing different factor types is what makes MFA secure.
Both feel "physical," so they're easy to mix up. A possession factor is something you HAVE, like a phone or a hardware token, and it can be lost, stolen, or handed to someone else. A biometric factor is something you ARE, a body trait like a fingerprint that you can't lend out. If the proof is an object, it's possession; if it's part of your body, it's biometric.
A biometric factor is the "something you are" authentication factor, proven by a body trait like a fingerprint, face, or iris.
It is one of four factor types in EK 4.2.C.1, alongside knowledge (something you know), possession (something you have), and location (somewhere you are).
Biometrics are hard to steal or guess because they're tied to your body, not to information or an object.
Combining a biometric factor with a different factor type creates multi-factor authentication (MFA), which is much stronger than one factor alone.
On the exam, your main task is classifying a scenario into the correct factor type for learning objective AP Cybersecurity 4.2.C.
It's the authentication factor based on something the user IS, such as a fingerprint, face scan, or iris pattern. It's one of the four factor types in EK 4.2.C.1 used to verify a user's identity in Topic 4.2 Authentication.
It's a biometric factor. Possession factors are objects you HAVE like a phone or token; a fingerprint is part of your body, so it falls under "something you are."
A password is a knowledge factor (something you know), while a biometric factor is something you are. Passwords can be guessed, cracked, or stolen in a database breach, but a biometric trait can't be run through a dictionary attack, which is why biometrics are often added as a second factor in MFA.
No, not by itself. Using only a fingerprint is still single-factor authentication. MFA requires two or more DIFFERENT factor types, like a password (knowledge) plus a fingerprint (biometric).
Knowledge (something you know, like a password or PIN), possession (something you have, like a phone), biometric (something you are, like a fingerprint), and location (somewhere you are). Learning objective 4.2.C expects you to identify which one a scenario is using.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.