The MFA Trinity: Something You Know, Are, and Have

2 Sents

I treat passwords like temporary scaffolding, not real security. If an account matters, I want at least two independent proofs of identity, ideally a hardware-backed factor plus biometrics, which is why passkeys are now my default.

Passwords are, to put it bluntly, a single point of failure.

In an ideal world, we'd all have unique, 100-character passwords memorized for every single service we use. In reality, 62% of people reuse the same password across multiple accounts. That means if a random forum you signed up for in 2018 gets breached, the roadmap to your bank account might just have been published on the dark web.

That is why I do not think in terms of "good passwords" anymore. I think in terms of independent factors that fail differently.

Two-factor auth is only a partial fix

Most of us have taken the first step: Two-Factor Authentication (2FA). You log in, and you get a text message (SMS) or an email with a code.

Is this better than just a password? Absolutely. Is it secure? Not really.

SMS protocols are notoriously ancient and vulnerable to SIM swapping: an attack where a bad actor convinces your mobile carrier to port your phone number to their SIM card. Once they have your number, they have your codes. It's a low-tech attack with high-impact consequences.

The Holy Trinity of MFA

Good MFA is not about adding random friction. It is about using different categories of proof. I group them into the MFA Trinity. For any account that matters, I want at least two of these three buckets:

1. Something You Know

This is the legacy layer. It's the secret inside your head.

Examples: Passwords, PINs, the name of your first pet (please don't use that as a security question).
Weakness: Can be phished, guessed, or stolen.

2. Something You Are

This is the biometric layer. It proves identity based on inherent physical traits.

Examples: Fingerprint (TouchID), Facial Geometry (FaceID), Iris scan.
Weakness: You can't change your face if your biometric data is compromised (though modern implementations like Secure Enclave make this very hard to steal).

3. Something You Have

This is the physical layer. It requires possession of a specific, tangible object.

Examples: A YubiKey, a smartphone with a registered Passkey, a smart card.
Strength: Even if someone has your password and a deepfake of your face, they still cannot log in without the physical device in your pocket.

Security Economics: The Empty House Theory

A pushback I hear a lot is, "Why do I need all this for a new account? There's nothing in it."

Fair point. A fresh account is like an empty house. If someone breaks in on day one, there is not much to steal.

But digital accounts obey the law of entropy: they accumulate value over time.

Day 1: Empty profile.
Year 1: Credit card info saved.
Year 5: 5 years of private messages, photos, location history, and preference data.

As the account gets more valuable, your security needs to level up with it. You do not put a vault door on a garden shed, and you do not protect a vault with a screen door.

The End Game: Passkeys

In practice, Passkeys are where this is heading. A passkey combines "Something you have" (your phone or laptop) with "Something you are" (FaceID or TouchID), so the weakest factor, "Something you know," can drop out.

If you have not moved your important accounts (email, banking, cloud storage) to hardware-backed MFA or passkeys yet, do that this week. Start with your email account first, because every account recovery flow usually routes through it.