Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords?

The option that uses a physical USB device to generate one-time passwords is the correct answer. Hard tokens are small devices that generate secure, time-sensitive codes for authentication, typically using a cryptographic algorithm. These devices are often designed to connect via USB ports to computers or other devices, allowing users to easily input the generated one-time password as a method to verify their identity when accessing secure systems or services.

Hard tokens enhance security by requiring something physical that users possess, which works in conjunction with something they know, such as a username or password, representing a classic approach to multi-factor authentication. This two-factor verification significantly reduces the risk of unauthorized access, as a potential attacker would need both the hard token device and knowledge of the user's credentials.

In contrast, other options such as transaction authentication numbers might be used for specific transactions but do not involve a physical USB device for generating codes; biometrics involve unique physical traits for identification and do not use passwords at all, and out-of-band passwords typically involve using a separate communication channel for authentication rather than a physical device. Thus, hard tokens are distinguished by their reliance on tangible hardware that generates secure authentication codes.