Quiz Entry - updated: 2026.07.14
What are the three classical authentication factors, and what makes multi-factor authentication strong?
Something you know (password), something you have (token/phone), something you are (biometric). Combine ≥2 different factors for MFA.
| Factor | Examples | Weakness |
|---|---|---|
| Know | Password, PIN, security question | Phishable, leakable, reused |
| Have | Hardware token (YubiKey), TOTP app, SMS, smart card | Lost/stolen device |
| Are | Fingerprint, face, iris, voice | Cannot be revoked once leaked; spoofable |
Why multi-factor matters: Each factor has different attack surfaces. Stealing a password (phishing) ≠ stealing a phone (theft) ≠ cloning a fingerprint (forensics). An attacker must defeat all required factors simultaneously, which is exponentially harder.
Common pitfall: Two passwords are NOT MFA — same factor. Two "know" answers can be phished in the same form.
Tip: "Know / Have / Are" — rolls off the tongue. Used in every cyber security textbook ever.
Go deeper:
Multi-factor authentication (Wikipedia) — the three factor types, the ATM example, and why two of the same factor isn't MFA.