Type 1 – Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
Type 2 – Something You Have – includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.).
Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
By combining two or three factors from these three categories, a multi-factor authentication is crafted. Multi-factor authentication is preferred, as it is much more difficult for an intruder to overcome. With just a password, an attacker only has to have a single attack skill and wage a single successful attack to impersonate the victim. With multi-factor authentication, the attack must have multiple attack skills and wage multiple successful attacks simultaneously in order to impersonate the victim. This is extremely difficult and, thus, a more resilient logon solution.
However, few online services offer true multi-factor authentication, but the number is growing. One excellent example of a multi-factor authentication supporting online service is that of PayPal. They currently offer at least two different multi-factor options. One option involves a credit card-sized device that produces on-demand a one-time-use six-digit PIN. The second option sends an SMS text message to your cell phone with a six-digit PIN. In either case, the PIN is used alongside your name and password credentials to gain access to your PayPal account.
Excerpted from the Global Knowledge white paper Multi-Step Authentication and Why Should I Use It.