Ranking the Different Types of Multi-Factor Authentication (MFA)

In this blog we review the four different types of multi-factor authentication (MFA), including “something you are”, “something you know”, “something you have”, and “somewhere you are.”

Blog Post

7 minute read

Apr 03, 2024

With so many modern businesses building their teams across different locations, creating flexible or remote work environments, and constantly collaborating over the internet, organizations must make sure that employees are who they say they are to avoid unauthorized users infiltrating network systems.  

Multi-factor authentication (MFA) enhances network security practices across the organization by establishing additional user identity verification measures. This greatly reduces the potential of unauthorized users accessing your systems and compromising your network.  

MFA solutions aren’t just effective, they’re fairly easy to implement, there are a variety of verification measures to choose from depending on the specific circumstances, and the amount of time they add to the log-in process is negligible.  

Don’t go guessing at cybersecurity. Let the experts guide you on your journey to a more secure future by getting started with Impact today.  

What Is MFA and How Does it Work?

Multi-factor authentication is a security protocol designed to enhance the protection of digital accounts and systems by requiring users to provide multiple forms of verification when requesting access. 

Traditional authentication methods typically rely solely on something the user knows, such as a password. However, with the increasing sophistication of cyber threats, relying solely on passwords has become insufficient. MFA addresses this vulnerability by adding additional layers of security, making it significantly more challenging for unauthorized users to gain access. 

how MFA works graphic

The principle behind MFA is based on the concept of combining different factors of authentication to verify the identity of the user. These factors typically fall into four categories:  

By requiring verification from multiple categories simultaneously, MFA significantly reduces the risk of unauthorized access. 

mfa quote 1

The 4 Types of Multi-Factor Authentication  

As mentioned above, the four different types of multi-factor authentication that organizations can implement include, something you are, something you have, something you know, and somewhere you are.  

Each of these MFA solutions is designed to work with a different verification method and depending on several variables, one might be preferable for your organization over another. For example, if your company has multiple locations, or a percentage of remote workers, an MFA solution that makes use of the “somewhere you are” principle would be ineffective, to say the least.

Let’s take a closer look at the different types of MFA solutions and the verification methods they use. 

1. Something You Are

At the top of the list is biometric authentication, often referred to as "something you are." This verification method, as its name might hint at, relies on unique biological characteristics to verify a user's identity.  

Depending on the specific MFA application, biometric authentication might use fingerprints, retina scans, or facial recognition to establish and confirm a user’s identity. For instance, a smartphone equipped with facial recognition technology scans the user's face to authenticate access.  

Biometric authentication offers a high level of security as biometric traits are inherently unique to each individual, making it extremely difficult for unauthorized users to replicate or spoof. Moreover, biometric authentication enhances user experience by providing a seamless and convenient way to access accounts or devices without the need to remember complex passwords or PINs.

In that same vein, implementing a biometric verification MFA eliminates the need for other devices or objects – truly creating a smooth and secure account access protocol. 

2. Something You Have

In contrast to biometric authentication, "something you have" involves physical objects that only the user possesses. These objects serve as tangible tokens or keys to authenticate identity.  

For example, a physical smart card containing a chip or a USB token generates one-time codes to authenticate access. An office building security card is a perfect example of an MFA built on the principle of “something you have.”  

Similarly, smartphones equipped with authentication apps, such as Google Authenticator or Authy, generate time-based codes that serve as secondary authentication factors. The physical presence of these devices adds an extra layer of security to the authentication process.  

This way, even if an attacker gains access to a user's password, they would still need physical possession of the secondary device to complete the authentication process, making "something you have" an effective means of thwarting unauthorized access attempts. 

3. Something You Know

"Something you know" is the most traditional form of authentication and relies on information known only to the user.  

This includes passwords, passphrases, PINs, or answers to security questions. Password-based authentication involves users creating unique combinations of letters, numbers, and special characters to secure their accounts. Additionally, security questions, such as "What is your mother's maiden name?" or "Which city were you born in?" serve as supplementary authentication factors.  

While passwords are susceptible to being guessed, stolen, or intercepted, they become more secure when they’re unique and updated regularly. Therefore, it’s crucial to establish a password policy that encourages users to update their credentials regularly and prevents them from reusing the same password over and over. 

4. Somewhere You Are

Coming in last is geolocation-based identity verification.  

Geolocation-based authentication, known as "somewhere you are," verifies the user's identity based on their physical location. This authentication method utilizes various technologies, including GPS coordinates, IP addresses, or proximity to specific Wi-Fi networks, to determine the user's location.  

For example, a banking app may require users to authenticate their transactions by verifying their location using GPS coordinates. While geolocation adds another layer of security to the authentication process, it is not foolproof, as IP addresses can be spoofed, and GPS signals can be manipulated.

Nevertheless, there are some use cases for geolocation-based user verification. For example, sports betting is still illegal in many states across the country but apps like FanDuel and DraftKings can be downloaded from anywhere. So in order to comply with local state laws and avoid major fines, most sports betting apps implement geolocation verification.  

Final Thoughts on Multi-Factor Authentication

With so much data being transferred across the internet every single day and the rising rates of cybercrime, organizations need to do as much as they can to make it as difficult as possible for threat actors to infiltrate their systems.  

This all starts by implementing easy security measures considered industry best practices that can drastically improve your network defenses.  

If you want to evolve your security it takes a layered strategy that involves multiple defensive measures and continual updates. Start building toward a more secure tomorrow by getting started with Impact today. 


CybersecurityMitigate Cyber Risks


Impact Insights

Sign up for The Edge newsletter to receive our latest insights, articles, and videos delivered straight to your inbox.

More From Impact

View all Insights