Skip to main content
Nathan Fennel
Back to Blog

The MFA Trinity: Something You Know, Are, and Have

A deep dive into why passwords aren't enough and how the holy trinity of authentication protects your digital identity.

securitymfabest-practicesengineering
2025-10-27

Passwords are, to put it bluntly, a single point of failure.

In an ideal world, we'd all have unique, 100-character passwords memorized for every single service we use. In reality, 62% of people reuse the same password across multiple accounts. That means if a random forum you signed up for in 2018 gets breached, the roadmap to your bank account might just have been published on the dark web.

This is where the concept of identity verification needs to evolve from a simple secret handshake to a robust, multi-layered defense.

The "Sort of" Fix: 2FA

Most of us have taken the first step: Two-Factor Authentication (2FA). You log in, and you get a text message (SMS) or an email with a code.

Is this better than just a password? Absolutely. Is it secure? Not really.

SMS protocols are notoriously ancient and vulnerable to SIM swapping: an attack where a bad actor convinces your mobile carrier to port your phone number to their SIM card. Once they have your number, they have your codes. It's a low-tech attack with high-impact consequences.

The Holy Trinity of MFA

True, robust Multi-Factor Authentication isn't just about more steps; it's about different types of evidence. We call this the MFA Trinity. To prove you are who you say you are, you should ideally provide evidence from at least two of these three distinct buckets:

1. Something You Know

This is the legacy layer. It's the secret inside your head.

  • Examples: Passwords, PINs, the name of your first pet (please don't use that as a security question).
  • Weakness: Can be phished, guessed, or stolen.

2. Something You Are

This is the biometric layer. It proves identity based on inherent physical traits.

  • Examples: Fingerprint (TouchID), Facial Geometry (FaceID), Iris scan.
  • Weakness: You can't change your face if your biometric data is compromised (though modern implementations like Secure Enclave make this incredibly difficult to steal).

3. Something You Have

This is the physical layer. It requires possession of a specific, tangible object.

  • Examples: A YubiKey, a smartphone with a registered Passkey, a smart card.
  • Strength: Even if a hacker has your password and a deepfake of your face, they cannot log in without the physical device sitting in your pocket.

Security Economics: The Empty House Theory

A common pushback I hear is, "Why do I need all this for a new account? There's nothing in it."

And you're right. When you create a fresh account, it's like buying an empty house. If someone breaks in, they might steal... the air? The risk is low because the value is low.

But digital accounts obey the law of entropy: they accumulate value over time.

  • Day 1: Empty profile.
  • Year 1: Credit card info saved.
  • Year 5: 5 years of private messages, photos, location history, and preference data.

As the value of the asset (your account) increases, the cost of protecting it must strictly increase. You don't put a bank vault door on a garden shed, but you also don't put a screen door on a bank vault.

The End Game: Passkeys

The industry is rapidly convergent on Passkeys as the implementation of this trinity. A Passkey effectively combines "Something you have" (your phone/laptop) with "Something you are" (the FaceID/TouchID required to unlock it), completely removing "Something you know" (the weak password) from the equation.

If you haven't started migrating your critical accounts (Email, Banking, Cloud Storage) to hardware-backed MFA or Passkeys, today is the day. Don't wait until the house is full to buy the lock.