ict.govt.nz is being migrated into digital.govt.nz
This snapshot contains remaining content not yet migrated, and is still current

The Factors of Authentication

The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something you know, have or are. These factors, and how they may be compromised, are described in Table 1 below.

Table 1 – Descriptions of the factors of authentication

Factor Something you... Examples Attack method

Common examples are passwords and collections of personal information (e.g. mother’s maiden name). Personal information is not necessarily secret, but is assumed to be unknown by anyone else. NOTE – Mother’s maiden name is now regarded as providing little confidence in the claimed identity.

An attacker must discover the known information.


Signet rings and passports are examples. Such objects are collectively called tokens. Some tokens perform sophisticated authentication functions, such as providing protected storage for cryptographic keys and performing cryptographic operations. Tokens for electronic authentication come in software or hardware forms.

An attacker must obtain or copy the token.


This is either a physical (as with fingerprints) or behavioural (as with typing patterns) characteristic of a person. Authentication methods based on this factor are commonly called biometrics.

An attacker must replicate what you are.

Note that authentication methods based on personal information suffer from a number of problems:

  • There is not much information that can be used and it is either: 
    • static and cannot be changed (as with the mother’s maiden name of a person), or
    • needs to be kept up to date by the customer (for example, if a customer uses their pet’s name, then this may change and must be updated by the customer).
  • The value of such information for authentication is degraded as more organisations collect it.
  • The information can often be easily discovered by an attacker through research or observation.

Note also that agencies that collect, use and disclose personal information must ensure that what they do complies with the Privacy Act 1993. This Guidance does not consider authentication keys based on collections of personal information further.

Multi-factor authentication and security: a first look

Multi-factor authentication is defined as the combined use of more than one of the factors of authentication from Table 1. As there are three factors of authentication, there are three possibilities: 

  • Single-factor authentication – This uses only one of the three factors of authentication. An example is a password (something you know).
  • Two-factor authentication – This uses two of the three factors of authentication. Accessing your account through an ATM is based on two factors of authentication: the PIN (something you know) and the ATM card (something you have). 
  • Three-factor authentication – This uses all three of the factors of authentication. For example, to access a secure site you might need to pass a guard who checks your face against a stored image (something you are), swipe an access card (something you have), and enter a four-digit code (something you know).

Multi-factor authentication is either two-factor or three-factor. Note that using two types of the same factor is not multi-factor authentication. For example, a password and personal information are both what you know, so using them together would still be single-factor authentication.

The strength of authentication keys can vary even within a factor category. Mother’s maiden name, a four-digit code and a random eight-character alphanumeric password are all examples of authentication keys based on what you know, but they each provide different protection against discovery attacks. Consequently, the security of the authentication process is affected by the actual solution used. However, it is generally held that multi-factor authentication improves security. In general, for the examples above:

  • To use the password, you need to find out the password.
  • To use the ATM card, you need to find out the PIN and steal or copy the ATM card.
  • To get into the secure building, you need to steal or copy an access card, find out the access code and have the guard accept your face against one of those on their system.

So the amount of work for an attacker generally increases with the number of factors of authentication used. However, it could be the case that the security of a three-factor authentication method is comparable to, or even worse than, a single-factor method. With the secure site example, maybe the guard can be bribed, new access cards are easy to obtain, and the initial access code is always four zeros. Nevertheless, there is certainly more scope for improving security with multi-factor authentication as compared to single-factor authentication – it comes down to ensuring that the potential strength for an implementation is actually achieved.

Another issue is that the factors of authentication relied upon can change. This is the case when someone writes down his or her password. The password changes from being something you know to something you have. In this case it may be easier to find than to guess the password. This problem typically occurs with systems that force people to use randomly generated passwords. Random passwords are hard to remember, so people tend to write them down and keep them near their computer for convenience. A password might be found by searching the area around a computer, whereas security for the system probably assumes an attacker has to guess a random password. So when the factors relied upon change, the vulnerabilities of the system (and hence the potential attacks against it) do too.

As discussed above, actual implementations will vary in the protection they provide. Other weaknesses, not related to the authentication process, also need to be addressed. These weaknesses may arise out of such things as poor design,lack of security culture, or simple human error. Consider the secure site example: if there is a back door (for example, a fire escape exit) that can be used for entry, the attacker may be able to bypass all authentication checks. In this case it would not matter that you had a diligent guard, a well-controlled access card system and good access code practices. In fact, the authentication system will amount to worse than nothing if there are other ways in, because of the false sense of security it gives.


Page last updated: 13/09/2016