Two-Factor and Three-Factor Authentication

Two-factor authentication means that the validation of someone’s identity is performed using factors from two of the three categories (that is, know, have, and are). For example, authenticating to an ATM with a card and a PIN is considered two-factor because the card is something that you have and the PIN is something that you know. However, the use of two passwords (or a password and a PIN) is not considered two-factor because they both come from the same category of something that you know. At the other end, using multiple factors from the same class doesn’t increase the factors, so using three passwords (know) and a smart card (have) is still only two-factor authentication. An authentication system that requires at least one factor from each class (know, have, are) would be considered three-factor authentication.