Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords?

The correct choice involves hard tokens, which are physical devices that generate one-time passwords for user authentication. These tokens often come in the form of USB devices that can securely interact with a computer or mobile device. Hard tokens function by using an embedded algorithm to create a unique, time-sensitive code that the user inputs alongside their standard credentials, thereby providing an extra layer of security based on something the user physically possesses.

In a multi-factor authentication (MFA) environment, using hard tokens greatly enhances security because it requires something the user has (the physical token) in addition to what the user knows (such as a password). This makes unauthorized access significantly harder, as an attacker would need access not just to the user’s credentials but also to the physical token.

The other options, while also related to authentication, do not fit the criteria described. Transaction authentication numbers typically involve a randomly generated code sent to a user as part of a transaction process. Biometrics refer to authentication methods that rely on biological characteristics, such as fingerprints or facial recognition. Out-of-band passwords involve using a different communication channel to deliver a password or code, but they do not specifically involve a physical USB device. Thus, hard tokens represent the most appropriate choice for the scenario described.