three-factor authentication (3FA)

Contributor(s): Matthew Haughn

Three-factor authentication (3FA) is the use of identity-confirming credentials from three separate categories of authentication factors – typically, the knowledge, possession and inherence categories.

Multifactor authentication  dramatically improves security. It is unlikely that an attacker could fake or steal all three elements involved in 3FA, which makes for a more secure log in.

Authentication factors classically fall into three categories:

  • Knowledge factors include things a user must know in order to log in: User names, IDs, passwords and personal identification numbers (PINs) all fall into this category.
  • Possession factors include anything a user must have in his possession to log in. This category includes one-time password tokens (OTP tokens), key fobs, smartphones with OTP apps, employee ID cards and SIM cards.
  • Inherence factors include any biological traits the user has that are confirmed for log in. This category includes the scope of biometrics such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry and even earlobe geometry.

Three-factor authentication is mainly used in businesses and government agencies that require high degrees of security.  The use of at least one element from each category is required for a system to be considered three-factor authentication --  selecting three authentication factors from two categories qualifies only as two-factor authentication (2FA). An additional factor, location, is sometimes employed for four-factor authentication (4FA).

It is important to know that the reliability of authentication is affected not only the number of factors involved but also how they are implemented. In each category, the choices made for authentication rules greatly affect the security of each factor. Poor or absent password rules, for example, can result in the creation of passwords like “guest,” which completely defeats the value of using a password. Best practices include requiring inherently strong passwords that are updated regularly. Facial recognition systems can in some cases be defeated by holding up a picture. More effective systems may require a blink or even a wink to register. Lax rules and implementations result in weaker security; alternatively, better rules can yield better security per factor and better security overall for multifactor authentication systems.

This was last updated in December 2014

Continue Reading About three-factor authentication (3FA)

Dig Deeper on Web authentication and access control

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It is important that all the 3 factors are operated by AND/Conjunction (we need to go through all of the three), not operated by OR/Disjunction (we need only to go through either one of them) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.
Hi Margaret, Hi Matthew.
Nicely written, clear and to the point. I would make one correction, however. What you consider a "4th factor" is not really a fourth factor, it is a method of measuring a possession factor. I need to have that smartphone for you to know my location. The FFIEC and NIST have these clearly defined. The reason they are this way is that each category comprises a distinctive set of vulnerabilities, and challenges to a cybercriminal. Respectfully, Mike Hill, CEO, SensiPass Ltd.
I wonder if there is multi-factor "anded" or "streamed" authentication. where more than one person is needed to complete an action...(such as two people simultaneously turn missile launch keys ten feet apart)