About factors
Authentication relies on factors - verifiable credentials that prove a user’s identity. These factors fall into three main categories based on what the user possesses or knows.
The three types of factors
Section titled “The three types of factors”Something you know
Section titled “Something you know”These are secrets that only the user should know:
- Passwords - The most common authentication method
- PINs - Short numeric codes
- Security questions - Personal information like “What was your first pet’s name?”
- Passphrases - Longer, more complex text strings
Something you have
Section titled “Something you have”These are physical or digital objects the user possesses:
- Mobile devices - Smartphones that can receive SMS or generate codes
- Hardware tokens - Physical devices that generate time-based codes
- Smart cards - Credit card-sized devices with embedded chips
- Software tokens - Apps that generate authentication codes
- Email accounts - Access to a registered email address
Something you are
Section titled “Something you are”These are biometric characteristics unique to the user:
- Fingerprints - Unique ridge patterns on fingertips
- Face recognition - Facial feature analysis
- Voice recognition - Unique vocal characteristics
- Iris scanning - Unique patterns in the colored part of the eye
- Retina scanning - Unique blood vessel patterns in the eye
Multi-factor authentication (MFA)
Section titled “Multi-factor authentication (MFA)”Multi-factor authentication combines two or more different types of factors to provide stronger security. For example:
- Password (something you know) + SMS code (something you have)
- PIN (something you know) + fingerprint (something you are)
- Password + hardware token + biometric scan
MFA significantly reduces the risk of unauthorized access because an attacker would need to compromise multiple different types of credentials.
Factor verification and validation
Section titled “Factor verification and validation”Each factor type requires different verification methods:
Knowledge-based factors
Section titled “Knowledge-based factors”- Passwords are hashed and compared against stored hashes
- Security questions are compared against previously provided answers
- PINs are compared against stored values
Possession-based factors
Section titled “Possession-based factors”- SMS codes are sent to a registered phone number
- Hardware tokens generate time-synchronized codes
- Email verification links are sent to registered addresses
Biometric factors
Section titled “Biometric factors”- Biometric data is captured and compared against stored templates
- Templates are usually encrypted and stored securely
- Matching algorithms determine if the biometric data matches
Security considerations
Section titled “Security considerations”Different factors have different security characteristics:
- Passwords are vulnerable to guessing, phishing, and data breaches
- SMS codes can be intercepted or redirected
- Hardware tokens are secure but can be lost or stolen
- Biometrics are convenient but can’t be changed if compromised
The strongest authentication systems combine multiple factor types and adapt their security requirements based on the risk level of the action being performed.