Factors in Identity

Traditional identity conversations center on the different factors of authentication. Often an identity mechanism is categorized as either a two-factor or single-factor system. Two-factor systems are the stronger choice. The factors include what you are, what you know, what you have, and who you are. These factors are fine for user authentication but break down with device authentication. A device can only be authenticated based on where it is and what it knows.

• Where you are/where it is Today this question is answered with either network layer information (IP or MAC address) or physical security controls. Your IP address maps to a specific subnet, and your MAC address corresponds to a specific port on an Ethernet switch.
• What you know/what it knows This is the most common factor of identity. What you know generally refers to a PIN or password. A device such as a router can be configured with a shared secret or digital certificate as what it "knows."
• What you have This factor refers to physical items the user possesses. This could be an OTP key fob, smart card, or other physical device that asserts identity.
• Who you are Biometrics is the only technology that can answer this question.