Something you know, something you have, something you are.

Most IAM people will repeat this phrase in a heartbeat. "Something you know, something you have, something you are". These are things than can be used to authenticate an identity. Put in a different way, these are things that can allow you to build the required trust to grant access.

Policy decision points use authenticate credentials based on the number of attributes available to them. A single attribute, like something you know (e.g a password secret), can give some minor level of trust. Each attribute may not have the same weighting for building trust. An 8 character secret is not as secure as a 2014-bit key, yet both may be vulnerable if poorly stored. Given the same level of trust, the number of attributes authenticated would be exponential. For example, 1 factor or attribute authenticated is 1x1=1 and 2FA is 2x2=4 times, 3FA would be 3x3 or 9 times the trust of 1FA.  

In the digital world, we often make binary decisions, if this, then that, when real life we have hundreds of attributes we take for granted and use as references for trusting someone is who they say they are. This I discussed in the post The "Identity Bottleneck. You are a sentry, and someone approaches and you challenge them " halt, who goes there", and the person responds with a password, is that enough? What if the person does not speak any of your languages, is wearing clothes of the enemy and you don't recognize them? Would you require a second proof of identity?  But in the digital world, how are these factors created, stored and used?

There is much hype around MFA, biometrics and policy decision points and the death of the password. What I wanted to highlight though was the trend towards contextual characteristics. In the real world, this would amount to identifying someone based on their relationship to something else. The first one, the one to the left, the one standing. Something marketing and advertising have lead with. Where did your connection come from, is the machine ID known, is there an existing cookie. 

Let's say you have an old application limited to 8 character passwords for authentication, could you use 1 of more contextual characteristics to improve identity trust? What is the IP, what is the machine ID, do they know the password...