Multi-factor authentication requires a user to prove identity usingtwo or more different factor types. Cybersecurity standards describe the main factor categories assomething you know(for example, a password or PIN),something you have(for example, a hardware token, smart card, or authenticator app producing a one-time code), andsomething you are(biometrics such as fingerprint, face, or iris). A valid MFA pair must come fromdifferent categories, not just two items from the same category or a mix of authentication with non-authentication concepts.
OptionBis correct because it explicitly combines two distinct factor types: a knowledge factor and an inherence factor. This pairing is widely recognized as MFA because compromising one factor does not automatically compromise the other: an attacker who steals a password still needs the biometric, and spoofing a biometric does not provide the secret knowledge factor.
OptionAis incorrect because “encryption” is not an authentication factor; it is a protection mechanism for confidentiality and integrity of data. OptionDhas the same problem: encryption is not a user factor. OptionCcan represent MFA in many real implementations if “token” is truly a possession factor; however, training materials and exam items often prefer the clearest, unambiguous factor-language pairing, which is why “Something You Know and Something You Are” is the best single answer here.
