Spec & Goals 3 min
AQA Spec 3.6.2 — Detecting/preventing threats: passwords, biometrics, CAPTCHA, email confirmation
By the end of this lesson you can:
- Explain how password systems and biometrics authenticate users.
- Describe the purpose of CAPTCHA and email confirmation.
- Explain how two-factor authentication strengthens security.
Warm-Up 5 min
Lessons 2–6 were the attacks. The next two lessons are the defences. We start with proving a user is who they claim to be — authentication.
Quick starter
To unlock a phone you might use a PIN, a fingerprint, or face recognition. What's the key difference between the PIN and the fingerprint?
Reveal the idea
A PIN is something you know; a fingerprint is something you are (a biometric). Biometrics are hard to copy or share.
Key Concept — proving identity 14 min
Authentication is the process of confirming that a user is who they claim to be before granting access.
| Method | How it works | Strengths / weaknesses |
|---|---|---|
| Password systems | The user proves identity with a secret they know. | Simple; but can be guessed, phished or reused — must be strong. |
| Biometrics | Uses a physical feature — fingerprint, face, iris. | Hard to copy/share; but needs special hardware and can fail to read. |
| CAPTCHA | A puzzle (distorted text, image tiles) easy for humans, hard for bots. | Blocks automated attacks (brute force, fake sign-ups); mild user friction. |
| Email confirmation | A link/code sent to the user's email must be clicked/entered. | Confirms the user controls that account; stops fake registrations. |
Two-factor authentication (2FA)
Two-factor authentication requires two different types of proof — typically something you know (password) plus something you have (a code on your phone) or are (a fingerprint).
Worked Example — choose the right check 12 min
Problem: A banking app wants strong sign-in security and protection against bots and fake accounts. Recommend measures and justify each.
| Need | Measure | Why |
|---|---|---|
| Stop stolen passwords working | Two-factor authentication | A second factor (phone code) is needed as well as the password. |
| Fast, convenient unlock | Biometrics (fingerprint/face) | Hard to copy or share; no password to phish. |
| Block automated login attempts | CAPTCHA + attempt limit | Stops bots brute-forcing passwords. |
| Confirm new sign-ups are real | Email confirmation | Proves the user controls the email account. |
Try It Yourself 12 min
Goal: Define biometrics and give two examples.
Goal: Explain the purpose of a CAPTCHA.
Goal: Explain how two-factor authentication protects an account even if the password is stolen.
📝 Exam Practice 10 min
State two examples of biometric authentication.
Mark scheme
- Any two of: fingerprint; facial recognition; iris/retina scan; voice recognition (2).
Explain how a CAPTCHA helps to prevent cyber attacks.
Mark scheme
- It presents a test that is easy for a human but hard for a computer/bot (1).
- So automated programs (e.g. brute-force or fake sign-ups) are blocked (1).
Explain why two-factor authentication is more secure than a password alone.
Mark scheme
- It requires a second, different proof as well as the password (1).
- So a stolen/guessed password alone is not enough to gain access (1).
Recap & Key Terms 3 min
Authentication proves a user's identity. Passwords use something you know; biometrics use something you are. CAPTCHA blocks bots; email confirmation proves you control an account; two-factor authentication needs two proofs, so a stolen password alone fails.
- Authentication
- Confirming a user's identity before granting access.
- Biometrics
- Authentication using a unique physical feature, e.g. fingerprint or face.
- CAPTCHA
- A challenge easy for humans but hard for computers, used to block bots.
- Two-factor authentication (2FA)
- Requiring two different forms of proof (e.g. password + phone code) to sign in.
Homework 1 min
Task (≤ 15 min): Design the sign-in security for a new e-wallet app. List the measures you'd use, and for each say which threat it defends against.
Model answer (shape)
Strong password rules (brute force); two-factor authentication (stolen passwords); biometric unlock (convenience + hard to copy); CAPTCHA + attempt limit (bots/brute force); email or SMS confirmation on new device (fake/unauthorised access).
Award marks for: each measure named (up to 4); a correctly matched threat for each (up to 4).