Multifactor authentication

The authentication factors for humans are generally classified into three cases:

* Something the user is (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), voice pattern (again several definitions), signature recognition, unique bio-electric signals produced by the living body, or other biometric identifier)

* Something the user has (e.g., ID card, security token, software token or cell phone)

* Something the user knows (e.g., a password, a pass phrase or a personal identification number (PIN))

Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term 'two-factor authentication' is used.

Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability. Other biometric methods are promising (retinal and fingerprint scans are an example), but have shown themselves to be easily spoofable in practice.

In a computer data context, cryptographic methods have been developed (see digital signature and challenge-response authentication) which are currently not spoofable if (and only if) the originator's key has not been compromised. That the originator (or anyone other than an attacker) knows (or doesn't know) about a compromise is irrelevant.

It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a digitally signed contract may be questioned when a new attack on the cryptography underlying the signature is discovered.