Security for Beginners
by Sergey Okinchuk
Passwords and Why They're WeakHow Systems Store Passwords Without Keeping Them
Topic 08

Something You Know, Have, or Are

Concept

In the last topic we saw the trouble with passwords: a single secret that, once stolen, hands an attacker the whole account. If one kind of proof is so fragile, the natural fix is to ask for more than one kind of proof before letting anyone in.

It turns out there are only three kinds of proof a login can ask for. Something you know — a password. Something you have — your phone. Something you are — your fingerprint. These three are called the authentication factors, and almost every login method ever built is one of them.

When a system asks for two of these three at once, that is multi-factor authentication — usually shortened to MFA. It is the main reason a thief who has Olivia's password still cannot always get into her account: the password is only one factor, and the login is waiting for a second.

Think of a bank vault that needs both a physical key and a PIN. Stealing the key gets you nothing without the number, and learning the number gets you nothing without the key. You would have to steal two different things, held in two different ways. MFA does the same thing for a login.

The three authentication factors — and how each one can fail
Something you know
A secret in your head — a password or PIN. Fails when it is guessed, phished, or leaked in a breach.
Something you have
A physical thing — your phone or a small hardware key. Fails if the device is stolen or lost.
Something you are
A body measurement — a fingerprint or face. Fails differently: you cannot change it once copied.

What Are the Three Factors?

The first factor is something you know: a secret kept in your head. A password, a PIN, the answer to a security question. Its weakness is that a secret can be copied without you noticing — guessed, phished, or spilled in a breach — and the real you and the thief now hold the exact same thing.

The second factor is something you have: a physical object in your possession. Most often your phone, sometimes a small hardware key that plugs into a computer. Its weakness is different — an object can be stolen or lost, but it cannot be copied from across the world the way a password can.

The third factor is something you are: a measurement of your body. A fingerprint, a face scan, the shape of your voice. This is called inherence, because it is part of you. Its weakness is the strangest of the three — if someone ever does copy your fingerprint, you cannot swap it out for a new one the way you would change a password.

The point of three separate kinds is that each one fails in its own way. They do not all break at the same time, or for the same reason — and that is exactly what makes combining them useful.

Why Is Combining Factors Strong?

Imagine an attacker who phishes Olivia's password — they now have something she knows. To get in, the login also asks for something she has: a code from her phone. The attacker is thousands of miles away and does not have the phone in their hand. One stolen factor is not enough.

The strength comes from the factors being different kinds. Stealing a password is one kind of attack; stealing a physical phone is a completely unrelated one. To beat MFA, an attacker has to win both at the same time, against the same person — which is far harder than winning either alone.

This is the whole idea behind the vault that needs a key and a PIN. The two locks are not just two copies of the same lock; they are two different sorts of lock, defeated in two different ways.

What Does MFA Look Like in Practice?

You have almost certainly met MFA already, even if no one called it that. After Olivia types her password, the site asks for a six-digit code from an app on her phone. Or it sends a notification she taps to approve. Or she touches a small hardware key plugged into her laptop.

These look different, but underneath they are the same move: prove you also have this particular thing. The app, the tap, and the hardware key are all the "something you have" factor, sitting on top of the password she already knows.

A fingerprint or face unlock works the same way as a second check, except it proves something you are rather than something you have. The login no longer trusts the password by itself; it wants a second, different signal that it is really you.

How MFA works — two different factors checked in sequence
Enter passwordsomething you know
Site requests second factorone factor is not enough
Provide phone code or keysomething you have
Access grantedtwo different locks cleared

Are All Factors Equally Strong?

No — and it would be dishonest to pretend so. A code sent to you by text message is better than no second factor at all, but it is the weakest of the common options, because a text can sometimes be redirected or intercepted before it reaches you.

A code from an app on your phone is stronger, because it never travels across the phone network. A physical hardware key is stronger still, because it is built to resist even a convincing fake login page. So "uses MFA" is a spectrum, not a single guarantee.

The full reasons one method beats another belong to a deeper course. For now the useful idea is just this: a second factor of any kind raises the bar a lot, and some kinds raise it more than others.

Common Confusions
  • "Two passwords is two-factor authentication." Two passwords are two of the same kind — both "something you know." Multi-factor means two different kinds, like a password plus a code from your phone.
  • "MFA makes an account impossible to break into." It raises the bar a great deal, but it is not magic. Some second factors, like a texted code, can occasionally be phished or intercepted. MFA is stronger, not perfect.
  • "Logging in with my fingerprint sends my fingerprint to the website." The fingerprint is checked on your own device, which then vouches for you. The measurement itself stays on the device — it is not shipped off to the website.
Why It Matters
  • It explains why a leaked password, on its own, increasingly fails to get an attacker in — there is a second, different lock waiting behind it.
  • The know / have / are framework lets you recognize any login method you will ever meet, and name which factor it is checking.
  • It shows that "uses MFA" is a spectrum, so you can read a second factor as raising the bar rather than as a perfect guarantee.

Knowledge Check

Which list correctly names the three authentication factors?

  • Something you know, something you have, something you are
  • A password, a PIN, and a security question you set when you first created the account
  • A username, a login page, and a logout button
  • A phone, a hardware key, and a backup phone

A site asks Olivia for her password and then for a code from an app on her phone. Why does this count as multi-factor authentication?

  • Because it combines two different kinds of factor: one you know and one you have
  • Because the password she chose is especially long and contains a mix of letters, numbers, and symbols that make it hard to guess
  • Because it asks her for a secret two separate times in a row
  • Because the phone is a modern device with up-to-date software

Why is requiring two different kinds of factor stronger than requiring two passwords?

  • Different kinds are defeated in different ways, so an attacker must beat both at once
  • Two passwords are harder to remember and type, which means an attacker who gets the first one still has to work out the second
  • A second password is always far longer than the first one
  • A second password automatically expires after the first one is used

Which statement about the strength of second factors is honest?

  • A texted code helps, but an app code or a hardware key is harder to intercept
  • Every kind of second factor is exactly as strong as every other
  • Adding a second factor makes no real difference to an attacker
  • A texted code is the strongest second factor available, because it works on every phone and requires no extra app or device

You got correct