The most effective method for positive authentication for physical access is a retina scan because it uses a biometric characteristic that is strongly tied to the individual and difficult to share, transfer, or replicate compared with cards, codes, or visual checks. ISACA materials discussing physical access and identity verification recognize biometrics such as retina scans as a high-assurance authentication mechanism.
Option B is correct because positive authentication means reliably confirming that the person presenting for access is truly the claimed individual. A retina scan verifies “something you are,” which is generally stronger than “something you have” or “something you know” for physical access authentication.
Option A is weaker because a proximity card is only possession-based authentication. It can be lost, borrowed, stolen, or shared, so it does not positively verify identity to the same degree as biometrics. This makes it less effective than a retina scan.
Option C is also weaker. A numeric keypad depends on a code that can be disclosed or observed, and a surveillance camera is more detective than authentication-focused. Together they do not provide the same strong identity binding as biometrics.
Option D improves assurance somewhat, but a smart card is still possession-based and a security guard’s judgment can be fallible. Human verification helps, but it does not usually match the direct individual-specific certainty of biometric authentication.
Therefore, B is the best answer because a retina scan most effectively provides positive authentication by directly verifying an individual’s unique biometric characteristic.
References (Official ISACA):
ISACA Journal, Against the Quantum Threat: Selective Compatibility — references retina and palm print scans being confirmed at each use to prevent identity theft.
ISACA News and Trends biometric authentication resources index.
