SecureTrust Cybersecurity
Three factor authentication

What Is 3 Factor Authentication?

Implementing 3 factor authentication is a significant step toward enhancing information security.

In today’s information landscape, where cyber threats are increasingly sophisticated, some information has enough value to warrant protection by at least 3 factors instead of relying solely on passwords or even two-factor authentication.

3 factor authentication involves integrating multiple factors to validate the user’s identity including:

  • Something the user knows (username/password)
  • Something the user has (hardware token)
  • Something the user is (biometric data)

This multi-layered approach significantly strengthens security posture and reduces the likelihood of unauthorized access.

First Principles

A first principle is an essential truth or assumption irreducible from any other truth or assumption.

It is the foundational concept that forms the basis of a theory or belief system.

A first principle of information security:

The information owner determines the necessary conditions to protect their information. No number of technical controls can fully compensate for an untrained, careless, or malicious user.

For our purposes, the information owner is the entity that has the original claim to control the information upon generation or transmission. 

This entity can be a human being, a machine, or an application running on a machine.

For this article, we will assume that information only has one owner upon creation. 

In a future article, we may explore co-ownership at the moment of creation; however, exploring the added complexity is beyond the current scope.


We must explore the concept of privacy as a necessary condition for information security. 

A universally accepted definition of privacy does not yet exist; however, Daniel Solove provides several themes in his article Conceptualizing Privacy:

  1. The right to be let alone
  2. Limited access to the self: arbitrating interactions and concealing personal activity
  3. Secrecy
  4. Control over personal information
  5. Personhood: non-interference in personal dignity and autonomy of body and mind
  6. Intimacy


Individual agency is of utmost importance for information security. 

The concept of individual agency recognizes that the information owner, whether a human being, a machine, or an application, has the right to determine the necessary conditions to protect their information.

Individuals should have control over their personal information and be able to make decisions about how it is accessed, used, and shared.

In authentication, individual agency means individuals can choose and manage their authentication factors. 

They can decide which factors they are comfortable using and how they want to authenticate their identity—empowering individuals and collectives to select the authentication methods that align with their needs, preferences, and the level of security required.

Individual agency also plays a role in privacy. 

Privacy is a fundamental aspect of information security, and individuals should have control over their personal information

By allowing individuals to choose their authentication factors, organizations can respect their privacy and ensure that sensitive information is protected.

Furthermore, choices can promote user engagement and acceptance of authentication measures. However, it is vital to balance individual agency and organizational security requirements.

While individuals should be free to choose their authentication factors, organizations must also establish policies and procedures to ensure the overall security of their systems and sensitive information.

These activities can include:

  • Implementing appropriate technologies
  • Setting minimum security standards
  • Guiding individuals on selecting secure authentication factors

Individual agency is crucial in information security and authentication.

It empowers individuals to control their personal information, promotes privacy, and enhances user engagement.

By recognizing and respecting autonomy, organizations can strengthen their security measures while ensuring active participation and user satisfaction.

Authentication, Authorization, & Accounting

Access control fundamentals include the “AAA”, or triple-A principle. 3 separate activities comprise the body of practice: Authentication, Authorization, & Accounting.

  • Authentication verifies an entity’s identity.
  • Authorization permits an entity to access restricted information.
  • Accounting (and auditing) logs authentication events, access decisions, and activities. Accounting usually implies that a record is available for future audits.


A robust AAA system should provide reasonable non-repudiation. The principle of non-repudiation establishes that a party cannot deny the authenticity or integrity of a message or transaction.

It provides evidence that proves the origin, delivery, and receipt of a message or the completion of a transaction, making it difficult for an actor to deny their involvement or the validity of the information exchanged.

CIA Triad

Many cybersecurity frameworks and expert opinion use the “CIA Triad” as a fundamental computer security concept.

The triad consists of 3 principles, each of which are considerations for adequate information security.

  1. Confidentiality is the principle that an entity can secure its private information from unauthorized entities. An example of confidentiality is using an envelope instead of sending a postcard.
  2. Integrity is the principle that an observer can validate that the content in a message is original and unmodified. One example of an integrity check is a ticket check upon boarding a vessel.
  3. Availability is the principle that the requesting entity can access the information at a the desired time.
hacker bypassing traditional multi factor authentication

Working Towards 3 Factor Authentication

Moving toward 3 factor authentication is a crucial step in enhancing information security.

As cyber threats become increasingly sophisticated, in many cases, passwords or even two-factor authentication are insufficient for information protection.

By implementing 3 factor authentication, organizations can significantly strengthen their security posture.

Implementing 3 factor authentication requires a comprehensive approach. 

It involves the integration of appropriate technologies, such as biometric scanners and smart card readers, into the authentication process.

Additionally, organizations must establish clear policies and procedures for managing and maintaining the authentication factors securely.


A quorum refers to the minimum number of authentication factors required during verification to grant access to a system or sensitive information.

By requiring a quorum, access arbitrators can significantly reduce the risk of unauthorized access by ensuring multiple security layers.

Having a quorum in a multifactor authentication scheme is of utmost importance.

Using a quorum in multifactor authentication adds an extra layer of protection against various threats.

Suppose an attacker compromises one authentication factor, such as stealing a password. In that case, they must still bypass the remaining factors to gain access.

The additional factors significantly increase the difficulty for attackers and reduce the likelihood of successful unauthorized access.

Furthermore, a quorum provides a balance between security and usability

Requiring all authentication factors for every login attempt may be cumbersome for users and impact productivity. 

By setting a quorum, organizations can balance security and user experience, ensuring that the authentication process is effective and efficient.

In addition, a quorum enhances non-repudiation. 

With multiple authentication factors, it becomes more challenging for users to deny their involvement or claim that their credentials were compromised. 

A quorum strengthens the evidence of authentication, making it difficult for parties to repudiate their actions.

3 factor triad

With 3 factor authentication, systems use 3 separate factors to validate the user’s identity. 

These factors typically include something the user knows (such as a PIN or password), something the user has (such as a token, smartcard, or cell phone), and something the user is (such as biometric data like fingerprints or facial recognition). 

The likelihood of unauthorized access diminishes when leveraging multiple authentication factors.

The adoption of 3 factor authentication aligns with the principles of information assurance, which aim to protect and defend information and information systems by ensuring their confidentiality, integrity, and availability. 

It also aligns with the requirements outlined in various policies, procedures, and statutes, such as the National Security Act, the Clinger-Cohen Act, and other US Government Standards, Directives, and Instructions.

Expanding Beyond 3 factors

Other authentication factors exist and can be appropriate authentication:

  1. Time/Timing: Time-based authentication factors involve using the current time as an authentication factor, including methods such as time-based one-time passwords (TOTP) or time-based access restrictions. For example, a system may require users to enter a unique code generated by an authentication app within a specific time window to verify their identity.
  2. Action/Activity: Action-based authentication factors need users to perform specific actions or activities to verify their identity. Examples include saying a particular phrase, gesturing, or turning their head left and right. These actions are typically captured by sensors or cameras and compared to pre-recorded data to authenticate the user.
  3. Cognitive load: Cognitive load-based authentication factors involve assessing the user’s cognitive abilities or knowledge to verify their identity. Personalize questions based on the user’s profile or require solving a specific problem or puzzle. By leveraging cognitive load, organizations can add a layer of security by verifying that the user possesses specific knowledge or mental abilities.
  4. Scenario-based authentication: Scenario-based authentication factors involve creating particular scenarios or situations that users must respond to to verify their identity. Some situations may include presenting users with simulated real-life scenarios and assessing their responses or decision-making abilities. By incorporating scenario-based authentication, organizations can determine the user’s ability to handle specific situations and make informed decisions, adding an extra layer of security.
  5. Location: Location-based authentication factors involve using the user’s physical location, such as geolocation tracking or proximity-based authentication. As a location-based factor, a system may require users to be physically present in a specific location or within a certain range of a designated device to authenticate their identity.


By moving toward 3 factor authentication, organizations can significantly enhance their information security posture.

This multi-layered approach provides additional defense against unauthorized access and reduces the risk of data breaches.

It aligns with the principles of information assurance and ensures compliance with relevant policies and regulations.

As cyber threats continuously evolve, adopting robust authentication measures becomes increasingly important to safeguard sensitive information and protect against potential security breaches.

Related Content

Jeff Schulman
Jeff Schulman

Jeff started his career as an active-duty Marine. He has specialized in information systems and information security for over twenty years, spending nearly two decades overseas in Korea and Germany, as a systems administrator and a systems engineering team lead at sub-unified and combatant command headquarters.

Share This Article

Subscribe to SecureTrust newsletter

Get the week’s best
cybersecurity content.
Sign Up >

Join 10,000 Subscribers

AI & Cybersecurity Insights
Delivered To Your Inbox

SecureTrust Cybersecurity Powered By Helios