The correct answer is 'A PIN or password that is memorized by the user', because the current system includes 'something you have' (security badge), 'something you are' (biometric scan), and another 'something you have' (mobile push notification, as the phone is a personal device). To fulfill the three-factor authentication criteria, a knowledge-based factor (something you know) such as a PIN or password must be added. 'A facial recognition scan' would not add a new factor; it would just be an additional biometric (something you are). 'An RFID-enabled wristband' is also an additional 'something you have'. 'Encrypting the security badge data' strengthens a factor already in use (something you have) but does not add a distinct new factor.