What Are the Three Authentication Factors?

Last updated on February 27, 2025

Authentication factors are categories of evidence used to prove a user’s identity. In modern security systems, Multi-Factor Authentication (MFA) leverages a combination of these factors to significantly improve access security. There are three primary factors:

The three authentication factors are:

• Knowledge Factor – something you know, e.g., password
• Possession Factor – something you have, e.g., mobile phone
• Inherence Factor – something you are, e.g., fingerprint

Understanding the Knowledge Factor

When you log into an application, the system often requires you to enter a username and password. This is a prime example of the Knowledge Factor—you are proving your identity by presenting information you already know.

Common Knowledge-Based Methods

• Passwords:
  A password is a string of letters, numbers, and special characters. However, because passwords are relatively simple sequences, they are vulnerable to theft, cracking, or guessing. The low security of passwords is the main reason why you need more than the Knowledge Factor.
• Security Questions:
  Some systems also use pre-established security questions (for example, “What is your dog’s name?”). Since these answers can sometimes be easily discovered or deduced, they are not entirely secure on their own.
• Personal Identification Numbers (PINs):
  Used when paying with a credit card or withdrawing money at an ATM, a PIN is another example of a knowledge-based method. Note that a PIN is effective only when paired with a physical card, illustrating an early form of MFA.

The Knowledge Factor is Not Enough

Authentication based on something you know is a nice relic of the bygone days when authentication security was solely based on a string of characters. But times have changed, and modern authentication requires modern means.

During Multi-Factor Authentication, the user has to also provide the second factor, and sometimes even the third factor to prove their identity. The other two factors of authentication are the Possession Factor and the Inherence Factor.

Exploring the Possession Factor

The Possession Factor requires that the user prove they physically have a specific device or token. Examples include:

• SIM Cards
• Mobile Phones
• Smart Cards
• Hardware OTP Tokens
• FIDO2 Security Keys

Advantages and Considerations

Modern technology has made it easier to incorporate possession-based methods into authentication systems. Because the system checks for a specific physical item, compromising this factor is typically more challenging than attacking a password alone. However, there are still risks such as device theft, swapping attacks, or remote social engineering. For instance:

• A SIM card can be used for SMS Passcode authentication.
• A smartphone running an authenticator app (e.g., Rublon Authenticator) turns the mobile device into a powerful second factor.
• Combining a credit card (something you have) with a PIN (something you know) forms a basic MFA example.
• FIDO security keys such as WebAuthn and U2F Security Key are cryptographically strong, phishing-resistant security tokens that constitute the Possession Factor. Breaking such keys requires the attacker to gain physical access to a security key and take it apart to tamper with it.

Delving into the Inherence Factor

Often considered the strongest form of authentication, the Inherence Factor verifies a user’s identity based on unique biological characteristics. This category includes biometric methods such as:

• Fingerprint scans
• Retina pattern scans
• Facial recognition

A security key that supports biometrics (like the YubiKey Bio) combines what you have with what you are to deliver top security.

Assessing the Risks of Authentication Factors

While MFA significantly improves security by layering authentication methods, each factor comes with its own set of risks. Understanding these risks helps in managing and mitigating potential vulnerabilities.

Risks With the Knowledge Factor

• Password Vulnerabilities:
  Passwords and PINs can be guessed, stolen, or compromised via keyloggers and shoulder surfing.
• Security Questions:
  The answers to these questions might be easy to obtain through public information or social engineering.

Risks With the Possession Factor

• Remote Exploits:
  Modern attacks may use social engineering or MITM (Man-in-the-Middle) attacks to bypass possession checks. For example, methods like and have been designed to mitigate these risks.
• Device Compromise:
  If an attacker gains control of a physical device, the possession factor is effectively breached.

Risks With the Inherence Factor

• Biometric Spoofing:
  Although biometrics are highly secure, techniques such as latent fingerprint replication or photo manipulation can sometimes fool systems.
• Irreversibility:
  Unlike passwords, once a biometric trait is compromised, it cannot be changed.

Modern biometric systems address many of these concerns through liveness detection and advanced spoofing prevention techniques.

Risks Associated With Authentication Methods

Each of the three authentication factors comes with a unique set of risks. However, you have to remember that factors of authentication are wide categories that accumulate many authentication methods. As a result, a security risk may apply to one authentication method but not the other. We wrote an article on the risks associated with each authentication method if you need a more in-depth look at the topic.

Implementing Three-Factor Authentication with Rublon

Rublon allows for modern Multi-Factor Authentication (MFA) using two authentication factors (Two-Factor Authentication, 2FA) or three authentication factors (Three-Factor Authentication, 3FA). Three-Factor Authentication is possible in at least two scenarios:

Rublon 3FA Scenario 1: Password + Mobile Push + Fingerprint Scan

• Step 1: The user enters a password (Knowledge Factor).
• Step 2: A Mobile Push notification is sent to the user’s smartphone (Possession Factor).
• Step 3: Before accepting the push, the user must scan their fingerprint (Inherence Factor).

In this scenario, the user installs the Rublon Authenticator mobile app on their Android or iOS smartphone and enables fingerprint scanning (FaceID is also possible for iOS devices). Then, when logging into an application, the user first provides their password (Knowledge Factor), and then receives a Mobile Push authentication request to their phone (Possession Factor). Before the user can accept the authentication request, however, they have to scan their fingerprint to unlock the Mobile Push mobile app (Inherence Factor). This scenario covers all three authentication factors and proves to be a very secure type of Three-Factor Authentication.

Rublon 3FA Scenario 2: Password + Biometric Security Key:

• Step 1: The user enters a password (Knowledge Factor).
• Step 2: The user plugs in a biometric FIDO security key (e.g., YubiKey Bio) that requires fingerprint verification (Inherence Factor) while also serving as a possession token.

In this scenario, the user provides their password and then plugs in their biometric WebAuthn/U2F Security Key. The YubiKey Bio key is a separate device that constitutes the Possession Factor but also requires fingerprint authentication which is the Inherence Factor. This scenario covers all three authentication factors and proves to be the most secure out of all authentication methods. On the downside, WebAuthn/U2F Security Key can be expensive which leads to customers most often opting for the first scenario instead.

Powerful Multi-Factor Authentication (MFA) for Your Workforce

To protect your cloud apps, VPNs, and RDP with Multi-Factor Authentication. Start Rublon MFA’s 30-Day Free Trial: