Authentication Factor


Authentication Factors are factors that are typically used in Authentication.

Generally there are three Authentication Factor categories:

We have seen references to the following Authentication Factor, but can not find any "authoritative" source that they are "Acceptable":

A list of practical factors that might be used are the Authentication Method Reference Values


NIST.SP.800-63 ( or specifically "NIST.SP.800-63-2") discusses in Section 4.3, that "other types of information, such as location data or device identity, may be used by an RP or Verifier to reject or challenge a claimed identity, but they are not considered Authentication Factors.

Further clarification is found within "NIST.SP.800-63-3" section 4.1 where it states: "As part of authentication, mechanisms such as device identity or geo-location may be used to identify or prevent possible authentication false positives. While these mechanisms do not directly increase the AAL, they can aid in enforcing security policies and mitigate risks. In many cases, the authentication process and services will be shared by many applications and agencies. However, it is the individual agency or application acting as the RP that shall make the decision to grant access or process a transaction based on the specific application requirements."

More Information#

There might be more information for this subject on one of the following: