authentication factor

Contributor(s): Ivy Wigmore

An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, that an entity involved in some kind of communication or requesting access to some system is who, or what, they are declared to be. 

Each category is considered a factor. For example, user names and passwords are both the same type of factor, so their combined use is single-factor authentication (SFA), despite the fact that there are two elements involved. 

Types of authentication factors:
There are three categories of authentication factors. These are generally broken down as:

  • Knowledge factors: A knowledge factor is something you know, such as a user name and password.
  • Possession factors: A possession factor is something you have, such as a smart card or a security token.  
  • Inherence factors: An inherence factor is something you are, an inherent biometric characteristic such as a fingerprint, voice or iris pattern. 

Single-factor authentication is based on only one category. The most common SFA method is a user name and password combination (something you know), although biometric authentication is becoming more common. The security of SFA relies to some extent upon the diligence of users. Best practices for SFA include selecting strong passwords and refraining from automatic or social logins. Nevertheless, for any system or network that contains sensitive data, it's important to add additional authentication factors. Multifactor authentication (MFA) involves two or more independent credentials for more secure transactions. 

Two-factor authentication uses any two the three categories. Examples include using a security token, such as a key fob or smart card, in conjunction with a PIN (personal identification number) or swiping a card before scanning your fingerprint.

Three-factor authentication requires the use of credentials from each of the three categories. One example would be entering a PIN (something you know) to unlock your smartphone (something you have) and then supplying an iris scan to finalize authentication.

Ying Li explains authentication factors and the importance of multifactor authentication:

This was last updated in December 2014

Next Steps

Read an expert overview of the top multifactor authentication products on the market.

Continue Reading About authentication factor

Dig Deeper on Web authentication and access control

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It should be noted that biometrics is different to other two factors. We have to be very careful when using it together with other factors.

It is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.