- Knowledge factors include factors like security questions and Personal Identification Number (PIN) security code.
- Possession factors cover methods like email or SMS delivered one-time passwords (OTP), time-based one time passwords generated by mobile authenticator apps or hardware tokens and also include security keys based on cryptographic protocols like those defined by the FIDO2 standards.
- All biometric factors like fingerprint, iris or facial authentications are considered inference factors.
So, what’s the best choice for the type of MFA factor? No single type of factor suits all purposes. The choice should take into account the available support for factors by the remote service, usability and cost. But most importantly it should account for the adversarial threat model presented by the system you are attempting to securely access.
Refer to the references below to view the most secure MFA option:
The Consumer Authentication Strength Maturity Model (CASMM) V6
The Authentication Attack Matrix (PDF)