Four or More: The Factors of Authentication

Michael Clark · Computer Science · BYU SRC 2026

Authentication Factors

There are three basic ways to identify a terminal user.

  1. By something he knows or memorizes. He could memorize a password or answer a prearranged set of questions. This technique requires no special hardware and is reasonably secure.
  2. By something he carries. This might be a badge, card or key. The badge would be inserted into the terminal badge reader, the key into the terminal itself.
  3. By a personal physical characteristic. This might be the user's voice, which when transmitted to the computer would be compared with the stored "voice-print" for identification. This technique is under development, but not yet commercially available.

The Considerations of Data Security in a Computer Environment, IBM 1970

Something You Know

This image displays a password on a smartphone screen, representing the 'something you know' factor.

Examples: passwords, PINs, secret process, recognition, knowledge-based authentication/security questions, account history questions

Advantages: nothing to carry, comparatively easy to change, use requires personal consent, easy to implement

Disadvantages: forget, scales poorly, unlimited invisible copies, often fairly weak, relatively easy to guess if nonrandom

Something You Have

This image shows a Yubikey, representing the 'something you have' factor in multi-factor authentication.

Examples: password manager, car/house keys, Hardware Security Keys (like Yubikey)/Passkeys, OTP, SSH key file, PUF hardware, TPM, bearer tokens

Advantages: no recall, some are uncopyable (theft detection), can be very secure, sometimes phishing resilient

Disadvantages: misplaced, loss, theft, sometimes hard to share, less trivial to support, cost per user, possible cost per account

Something You Are

The Smiling Face (Biometric Authentication). This image represents the 'something you are' factor in authentication, such as facial recognition.

Examples: face (including infrared), signature, voiceprint, retina, fingerprint, DNA, gait, typing patterns, behavior, stress

Advantages: always with you, no recall, stable, hard to guess or share

Disadvantages: involuntary change (ouch), inconsistent readings, privacy, infeasible voluntary change if copied, hardware reader cost

What Does it Mean to Authenticate?

A professional museum conservator authenticating an ancient large ceramic amphora in a laboratory. The expert is wearing white cotton gloves and examining the pottery carefully under a soft inspection lamp. The amphora is tall, weathered, with visible age cracks and subtle painted patterns. The setting is a clean conservation studio with wooden tables, archival boxes, magnifying tools, and documentation papers. The conservator is focused and serious, using a small magnifier to inspect surface details. Soft natural light from a window mixes with warm task lighting. Photorealistic, high detail, shallow depth of field, professional documentary photography style, 85mm lens, realistic skin texture, museum-quality scene.
Authenticate: prove something is real, true, or genuine.

Can prove membership of a class (broad, low specificity) or identity (high specificity).

Class Authentication

A vertical split-screen image (portrait orientation, taller than wide). The exact same person appears on both sides of the image, photorealistic and highly detailed. On the left side: the person is dressed as a professional police officer in a clean, well-fitted modern police uniform, standing upright with calm, confident posture, neutral but trustworthy expression, subtle professional smile. The lighting is slightly dramatic and official-looking, similar to a formal portrait. Background is softly blurred but suggests a police station or civic building. On the right side: the exact same person (same face, same hair, same age, same expression, same posture, same camera angle, same lighting direction) is dressed casually in everyday clothing (plain t-shirt and jeans), standing in a neutral public setting such as a sidewalk or park. Expression and pose are identical to the left side. The image should emphasize that the only meaningful difference is the clothing and contextual background. Both sides should match in framing, facial expression, posture, and lighting direction to clearly isolate the impact of the uniform. High realism, professional photography, sharp focus, natural skin tones, no exaggerated expressions. Composition centered. 4:5 aspect ratio. Full-body or mid-thigh framing.

Something you are authentication can also encompass a group (rough hands = honest laborer). Have/Know can be shared or uniform.

My hard hat and clipboard's
the same as all access

Dual Core, "Trust Me", from Social Engineer Podcast

Other Authentication Considerations

Analogy to Senses

A tall, portrait educational infographic showing eight human senses arranged radially around a subtle human silhouette. Minimalist vector style, muted academic color palette. Each sense is represented by a simple icon and label: sight, hearing, smell, taste, touch, balance (vestibular), proprioception (body position awareness), and interoception (internal body signals). Clean layout, generous white space, soft neutral background, no clutter, suitable for a professional academic presentation slide.

Three factors.

But more than 5 human senses:

  • Sight (10m), Touch (1m), Hearing (100k) - most information
  • Smell (100k), Taste (1k)
  • Balance, Proprioception (limb position), Interoception (hungry, thirsty, need to breathe, etc)

There are at least 3 + ? Authentication factors:

  • Have, Know, Are - most information
  • … ?

Delegated Authentication

A realistic, vertically oriented image (portrait aspect ratio, 9:16) of a modern smartphone shown from the front. The phone screen is on and displays a lock screen with a visible SMS notification containing a one-time password (OTP). The SMS notification reads: “Your verification code is 482913. Do not share this code.” The lock screen shows the time at the top, a neutral background (soft gradient or blurred abstract wallpaper), and the OTP message clearly visible in a standard notification banner. The phone is centered against a simple, clean background (light gray or white) with no additional objects. Minimalist, professional, realistic lighting, no brand logos, no copyrighted UI, generic interface design. Portrait orientation, taller than wide, suitable for a presentation slide.

Sometimes authentication is delegated to a third party. That party still relies on authentication factors.

  • SMS one-time codes
  • Email
  • "Someone you know"
  • Single Sign On systems (OAuth, DUO, etc)

Sometimes considered "something you have", but email is often password based.

Somewhere You Are

A side view of a DEC VT05, showing the distinctive shape.
A DEC VT05, introduced Nov 1970.Source: https://terminals-wiki.org/wiki/index.php/File:DEC_VT05_305002197651-10.jpg

… some systems containing sensitive data place primary reliance on user identification rather than identification of the terminal or its location.

The Considerations of Data Security in a Computer Environment, IBM 1970, emphasis added

Somewhere You Are

The free high-resolution photo of grass, trail, lawn, play, running, adventure, green, small, soil, box, treasure hunt, cache, litter, waste, search, hiding place, to find, physical exercise, logbook, orienteering, coordinates, geocaching, geocache

Not inherently/always delegated. Already used in RBA/Continuous authentication systems. Rarely used as a single factor due to low distinctiveness.

Examples: IP address, network latency, mailing address, presence (e.g. FIDO2), GPS, geocaching, proof of noisy environment

Advantages: non transportable, amenable to continuous authentication, digital proxy for delegated physical authentication

Disadvantages: travel, proofs/sensors often spoofable, non-individual

Additional Potential Authentication Factors

A thick bankvault door
  • "Time" is already famously used in bank vaults to authenticate
    • "Somewhen you are"
    • Less distinctive
  • CAPTCHAs
    • Authenticate as "not a script"
    • Easy to bypass. AntiCaptcha uses real humans for 50¢/1000
    • Can extend to "humanness" behavior patterns
  • Proof of Work
    • Not very distinctive
    • Imposes real costs to scale attacks

Concluding Thoughts

A vertically oriented illustration (portrait aspect ratio, taller than wide, 4:5 or 9:16) of an artist’s wooden paint palette viewed from a slightly elevated angle. The palette is clean and professional, with smooth natural wood grain and a thumb hole on the side. The background is soft, neutral, and minimally textured (light gray or off-white gradient), suitable for an academic presentation. Instead of paint blobs, the palette contains clearly recognizable, simple flat-design icons arranged neatly in place of colors. Each icon appears as if it is a “paint dab” but rendered as a clean symbol: A smartphone or key icon (representing “have”) A keyhole or password field with dots (representing “know”) A fingerprint icon (representing “are”) A map pin icon (representing location) A clock icon (representing time) A distorted text-with-checkbox or robot-with-checkmark icon (representing CAPTCHA) A small gear combined with a puzzle-piece or hash symbol (representing proof of work) The icons should be evenly spaced like paint colors on a palette, each inside a subtle circular paint-like background (muted pastel tones, not bright or distracting). No text labels anywhere in the image. Lighting should be soft and even, with gentle shadows to create depth but avoid dramatic contrast. The overall style should be clean, semi-flat illustration or lightly realistic digital art — modern, academic, and not cartoonish. Composition should center the palette vertically in frame, with ample negative space above and below for slide layout flexibility.

The 1970 IBM model is good, but incomplete. There are more than three factors, like there are more than five senses.

A richer authentication taxonomy will help us derive maximal security from minimal frustration.

Adding factors can only increase authentication confidence.

It's time to update the model.