Three-factor authentication is a system of authentication that requires users to provide credentials from three different authentication factor categories. The authentication factor categories used typically include knowledge, possession and inherence.
Knowledge factors are information only a specific individual would know. These include credentials such as user names, IDs, PIN numbers and passphrases.
Possession factors are items or virtual objects that only a specific individual should have. Physical objects such as employee IDs. smartphones, key fobs and other similar items fall into this category, as do virtual objects such as one-time password tokens.
Inherence factors are biological features that set a person apart from other individuals, such as his fingerprints, speech patterns or facial proportions. These are collected using specialized hardware or software capable of detecting the subtle differences in these traits that exists between different people.
Because it is unlikely that an attacker could obtain all the required credentials to fulfill each of the three authentication factors, three-factor authentication provides far greater security than is possible with one- and two-factor authentication. Three-factor authentication also makes up for weaknesses in other factors. For example, if a person sets a password that is easy to guess, the possession and inherence factors can keep the system safe even if an attacker manages to guess the user's password. This increased security makes three-factor authentication ideal for businesses and government offices that deal with very sensitive information.