Last updated on March 26th, 2024
Three-Factor Authentication (3FA) is a type of authentication that confirms a user’s identity using three distinct authentication factors: something you know, something you have, and something you are.
The three authentication factors, or categories, are:
- Knowledge Factor (something you know) includes things a user must know, e.g., password, PIN, security question
- Possession Factor (something you have) includes things a user has to have in their possession, e.g., smartphone with authenticator app, SIM card, WebAuthn/U2F Security Key
- Inherence Factor (something you are) includes biometrics of a user, e.g., fingerprint scan, facial recognition, voice recognition
3-Factor Authentication requires a user to demonstrate all three of these authentication factors to complete authentication successfully and gain access to their account.
If you need a very high level of security for your logins, you can use Three-Factor Authentication. Three-Factor Authentication expands Two-Factor Authentication by adding yet another authentication factor.
Three-Factor Authentication (3FA) belongs to the family of Multi-Factor Authentication (MFA), so every 3FA is MFA.
2FA vs. 3FA: What Is the Difference Between 2FA and 3FA?
While Two-Factor Authentication (2FA) is a type of authentication that requires exactly two distinct authentication factors, Three-Factor Authentication (3FA) is a type of authentication that requires exactly three distinct authentication factors.
A distinct factor means that a factor cannot be used more than once. For example, using your password three times in a row is not Three-Factor Authentication but Single-Factor Authentication.
Three-Factor Authentication is usually considered more secure than Two-Factor Authentication because it requires the user to demonstrate three distinct proofs of identity instead of only two distinct proofs like 2FA does. However, authentication factors are categories that encompass multiple different authentication methods, each with its own set of pros and cons. For example, both SMS Passcode and Mobile Push fall into the Possession Factor category, but Mobile Push is generally considered more secure than SMS Passcode.
Even the exact same authentication method can have two different implementations with varying levels of security. For example, a simple implementation of a fingerprint scanner can be easily compromised by using a latent fingerprint. Mercifully, modern fingerprint scanners have a liveness detection that helps verify the genuine presence of a living user.
In short, implementing a specific authentication method is what matters most when it comes to Three-Factor Authentication and Two-Factor Authentication. Two strong and well-implemented factors are better than three weak factors. In some cases, even how users use the authentication methods counts. This is especially true with passwords. Consider the following examples.
2FA vs. 3FA: Example 1
Your password is qwerty and you have a YubiKey Bio security key. You use these two authentication methods together to log in to your account. Incidentally, YubiKey Bio is a security key that supports fingerprinting, which satisfies two authentication factors: something you have and something you are. Password is something you know. In Example 1, you are undergoing Three-Factor Authentication.
Even though using a weak password and a YubiKey Bio is Three-Factor Authentication, your weak password does nothing to improve your overall login security. A password like qwerty can be broken quickly using even the most straightforward brute-force password hacking technique. In this case, you can ditch the password and only use the YubiKey Bio without impacting the strength of your account protection.
2FA vs. 3FA: Example 2
You have a strong password like this: G5ehj%Ee5%H53eH54eh54eH#$ju54kj53 and a YubiKey Bio security key. You are undergoing Three-Factor Authentication. A strong password improves the overall security of your account. Using a strong password still makes sense in Multi-Factor Authentication.
Both Example 1 and Example 2 are Three-Factor Authentication. But while 3FA with a strong password makes sense, using a weak password to turn your Two-Factor Authentication into Three-Factor Authentication makes little sense.
Does Rublon Support Three-Factor Authentication (3FA)?
Rublon can only add one additional authentication method next to a password during a single authentication process. However, Rublon does support Three-Factor Authentication in the two following use cases.
Use Case 1: Password + Biometric Security Key
You can use WebAuthn/U2F Security Keys with Rublon. If your security key supports biometric authentication (e.g., YubiKey Bio), you can achieve Three-Factor Authentication (3FA) with Rublon.
Here’s how using your Biometric Security Key with Rublon can help you achieve 3FA:
- Your password is something you know
- The Biometric Security Key is something you have because it’s a physical fob you have in possession
- The Biometric Security Key requires your fingerprint to complete the login process successfully, so the Inherence Factor is also required
Use Case 2: Password + Biometric Lock + Mobile Passcode
The Rublon Authenticator mobile app allows you to enable a Biometric Lock in the form of a Fingerprint or Face Recognition. Thanks to this, you can achieve Three-Factor Authentication (3FA).
Here’s how using a Biometric Lock in Rublon can help you achieve 3FA:
- Your password is something you know
- You need to use something you are to unlock the Rublon Authenticator and look up the Mobile Passcode
- Rublon Authenticator installed on your phone is something you have
Cybersecurity purists may argue that a Biometric Lock in an authenticator app should not be seen as a factor but merely as a security control. This point is up to debate, but here at Rublon, we believe that security is what matters most. There is no doubt that, when used during authentication, a Biometric Lock improves the overall safety of user logins.
Do I Need Three-Factor Authentication (3FA)?
If security is your number-one concern, there is no better than Three-Factor Authentication (3FA). Still, 3FA is only as secure as its implementation. The conclusion is simple. When looking for a Multi-Factor Authentication (MFA) solution, seek a solution that supports the most secure authentication methods: WebAuthn/U2F Security Keys and Mobile Push and allows you to enable Out-of-Band Authentication (OOBA) and Adaptive Authentication. With all these security measures, Two-Factor Authentication (2FA) should be secure enough to ensure regulatory compliance for your industry.
Looking for MFA? We Have It.
If you specifically require Three-Factor Authentication (3FA), you can achieve that with Rublon. Check if Rublon fulfills your 3FA requirements by starting a Free 30-Day Trial.
Have any questions about Rublon and 3FA? Send your questions to Rublon Support.
