Ranking the Different Types of Multi-Factor Authentication (MFA)

1. Something You Are

At the top of the list is biometric authentication, often referred to as "something you are." This verification method, as its name might hint at, relies on unique biological characteristics to verify a user's identity.  

Depending on the specific MFA application, biometric authentication might use fingerprints, retina scans, or facial recognition to establish and confirm a user’s identity. For instance, a smartphone equipped with facial recognition technology scans the user's face to authenticate access.  

Biometric authentication offers a high level of security as biometric traits are inherently unique to each individual, making it extremely difficult for unauthorized users to replicate or spoof. Moreover, biometric authentication enhances user experience by providing a seamless and convenient way to access accounts or devices without the need to remember complex passwords or PINs.

In that same vein, implementing a biometric verification MFA eliminates the need for other devices or objects – truly creating a smooth and secure account access protocol. 

2. Something You Have

In contrast to biometric authentication, "something you have" involves physical objects that only the user possesses. These objects serve as tangible tokens or keys to authenticate identity.  

For example, a physical smart card containing a chip or a USB token generates one-time codes to authenticate access. An office building security card is a perfect example of an MFA built on the principle of “something you have.”  

Similarly, smartphones equipped with authentication apps, such as Google Authenticator or Authy, generate time-based codes that serve as secondary authentication factors. The physical presence of these devices adds an extra layer of security to the authentication process.  

This way, even if an attacker gains access to a user's password, they would still need physical possession of the secondary device to complete the authentication process, making "something you have" an effective means of thwarting unauthorized access attempts. 

3. Something You Know

"Something you know" is the most traditional form of authentication and relies on information known only to the user.  

This includes passwords, passphrases, PINs, or answers to security questions. Password-based authentication involves users creating unique combinations of letters, numbers, and special characters to secure their accounts. Additionally, security questions, such as "What is your mother's maiden name?" or "Which city were you born in?" serve as supplementary authentication factors.  

While passwords are susceptible to being guessed, stolen, or intercepted, they become more secure when they’re unique and updated regularly. Therefore, it’s crucial to establish a password policy that encourages users to update their credentials regularly and prevents them from reusing the same password over and over. 

4. Somewhere You Are

Coming in last is geolocation-based identity verification.  

Geolocation-based authentication, known as "somewhere you are," verifies the user's identity based on their physical location. This authentication method utilizes various technologies, including GPS coordinates, IP addresses, or proximity to specific Wi-Fi networks, to determine the user's location.  

For example, a banking app may require users to authenticate their transactions by verifying their location using GPS coordinates. While geolocation adds another layer of security to the authentication process, it is not foolproof, as IP addresses can be spoofed, and GPS signals can be manipulated.

Nevertheless, there are some use cases for geolocation-based user verification. For example, sports betting is still illegal in many states across the country but apps like FanDuel and DraftKings can be downloaded from anywhere. So in order to comply with local state laws and avoid major fines, most sports betting apps implement geolocation verification.