Quiz Entry - updated: 2026.07.14
What are the four authentication factor categories in security?
Wissen (knowledge), Besitz (possession), Eigenschaft (inherence/biometric), Fähigkeit (ability/behaviour).
The four categories:
| Category | "Something you..." | Examples |
|---|---|---|
| Wissen (Knowledge) | ...know | Password, PIN, security questions |
| Besitz (Possession) | ...have | Hardware token (SecurID), smart card, phone with SMS, FIDO2 key |
| Eigenschaft (Inherence / Biometric) | ...are | Fingerprint, iris scan, face recognition |
| Fähigkeit (Ability / Behaviour) | ...can do | Signature, voice pattern, typing rhythm |
Multi-factor authentication combines at least two different categories — not two things from the same category. Two passwords ≠ MFA. A password + a fingerprint ≠ two passwords, but a password + a hardware token = real 2FA.
Strength trade-offs:
- Wissen is convenient but easily phished, guessed, or reused.
- Besitz is strong (attacker must steal hardware), but the user can lose it.
- Eigenschaft is convenient and bound to the body, but irrevocable — you can't change your fingerprint after a leak.
- Fähigkeit is the least-developed category but increasingly used for continuous, passive auth (behavioural biometrics).
Tip: Modern recommendations (NIST SP 800-63) treat SMS as a weak Besitz factor due to SIM-swap attacks; push-app prompts and FIDO2 keys are preferred.