One conventional approach to controlling access to a sensitive resource requires a human to (i) enter a personal identification number (PIN) into the human's authentication token, and then (ii) provide a one-time use passcode (OTP) from the human's authentication token to prove that the human is authentic (i.e., not a fraudster). If the provided OTP matches an expected OTP, the human is granted access to the sensitive resource. If the provided OTP does not match the expected OTP, the human is denied access to the sensitive resource.
Accordingly, the above-identified conventional access control approach requires the human to be in possession of two different types of authentication factors. In particular, the human must provide a PIN, i.e., the human provides a “what you know” factor (the human knows the PIN). Additionally, the human must provide a OTP from the human's authentication token, i.e., the human provides a “what you have” factor (the human has the authentication token).