Quiz Entry - updated: 2026.07.14
What are the three factors in Multi-Factor Authentication (MFA)?
Something you KNOW (password/PIN), something you HAVE (phone/token), and something you ARE (biometric) — MFA combines 2+ from DIFFERENT categories.
* MFA combines 2+ factors from different categories — something you know, have, and are. *
| Factor | Type | Examples |
|---|---|---|
| Something you KNOW | Knowledge | Password, PIN, security questions |
| Something you HAVE | Possession | Phone, hardware token, smart card |
| Something you ARE | Biometric | Fingerprint, face, iris |
Mnemonic: "Know-Have-Are" or "KHA"
Valid MFA examples:
- Password (know) + SMS code (have) ✓
- Password (know) + fingerprint (are) ✓
- Badge (have) + PIN (know) ✓
NOT MFA:
- Two passwords ✗ (both "know")
- Password + security question ✗ (both "know")
Tip: SMS is weakest "have" factor (SIM swapping attacks). Hardware tokens or authenticator apps are stronger.
Go deeper:
OWASP Multifactor Authentication Cheat Sheet — factor types, SMS weaknesses, passkeys, recovery.
NIST SP 800-63B — Digital Identity (Authentication) — authenticator assurance levels and per-authenticator requirements.
Multi-factor authentication (Wikipedia) — the knowledge/possession/inherence factor model and its trade-offs.