The three are traditionally described as follows
- The 'know' factor is a secret like a password or a PIN.
- The 'have' factor is some physical object in your possession.
- The 'are' factor is a biometric like finger or retina print.
Think about the 'have'. It's clearly not enough to merely have possession of a SecureId or smart phone. You have to demonstrate (or prove) possession of that object. Typically, possession is proved by entering in some OTP, or responding to a challenge sent to that object.
Now consider the 'know'. When I enter a password to login, what am I doing other than proving possession of (the knowledge of) the shared secret?
And for the 'are' factor, when I enter Canada using a Nexus kiosk, what am I doing other than proving possession of my retinas?
Would it not be simpler to model all authentication operations as
Something you have (with various proof mechanisms)
We are headed to a future where the things we have (see this) will be more and more involved in our authentication. While the phone may have primacy at the moment, over time it will become just one of many devices floating around us with an opinion on our status & presence (and an ability to assert it).
So perhaps the ultimate model for describing authentication is
Some things you have (with various proof mechanisms)