Overview#

Authentication Factors are factors that are typically used in Authentication.

Generally there are three Authentication Factor categories:

• Knowledge Factor - or Something You Know
• Possession Factor - or Something You Have
• Inherence Factor - or Something You Are

We have seen references to the following Authentication Factor, but can not find any "authoritative" source that they are "Acceptable":

• Something You Do - This probably a take off of the Inherence Factor described as a Behavioral Characteristic
• Someplace You Are - Perhaps this is a Geolocation as maybe considered a Authentication Factor.

A list of practical factors that might be used are the Authentication Method Reference Values

NIST.SP.800-63#

NIST.SP.800-63 ( or specifically "NIST.SP.800-63-2") discusses in Section 4.3, that "other types of information, such as location data or device identity, may be used by an RP or Verifier to reject or challenge a claimed identity, but they are not considered Authentication Factors.

Further clarification is found within "NIST.SP.800-63-3" section 4.1 where it states: "As part of authentication, mechanisms such as device identity or geo-location may be used to identify or prevent possible authentication false positives. While these mechanisms do not directly increase the AAL, they can aid in enforcing security policies and mitigate risks. In many cases, the authentication process and services will be shared by many applications and agencies. However, it is the individual agency or application acting as the RP that shall make the decision to grant access or process a transaction based on the specific application requirements."

More Information#

There might be more information for this subject on one of the following:

• Authentication
• Authentication Method
• Authenticator App
• Authenticator Assurance Levels
• Biometric
• Biometric Authentication
• Biometric Data Challenges
• Biometric Enrollment
• Biometric Identification
• Credential Management
• DID Authentication
• DID Document
• FIDO Standards
• Fast IDentity Online
• Geolocation
• Inherence Factor
• Internet Protocol Address Location
• Knowledge Factor
• Knowledge-Based Authentication
• LOA 3
• Level Of Assurance
• M-04-04 Level of Assurance (LOA)
• Multi-Factor Authentication
• Multiple-channel Authentication
• NIST.SP.800-63B
• NMAS
• Password
• Passwordless SMS Authentication
• Possession Factor
• Short Message Service
• Simple Authentication
• Something You Do
• Trust Elevation
• Two-Factor Authentication
• Universal Authentication Framework
• Universal Second Factor
• Universal Second Factor Challenges
• Yubico
• Yubikey NEO