In the previous post we level set and I discussed how the CISA has classified "single" factor authentication (aka passwords alone) as a bad practice.  We also reviewed at a high level what MFA is and the major components that comprise MFA such as what a factor is and the three common types of factors.  

For a quick review, remember when I say "factor" you can think of it as "proof" of your identity.  Because, aftercall, we are discussing multi-factor authentication and authentication is the act of providing proof (generally speaking) of your identity.  

What are knowledge factors?

Knowledge factors are objects that you know. Taking this vague description and expanding on it with examples, we can most likely all remember a time that we have provided knowledge factors when signing into a bank account or an HR system.  Mother maiden name?  What street did you grow up on?  Model of first car?  All of these are knowledge factors.

Its important to take notice what is not in there, a physical token or key card.  Also not included are your fingerprints or facial recognition or a one-time password (OTP).  These are factors, but they are not knowledge factors.  


In short, knowledge factors are objects of information that you know.  You can't get a knowledge object from a device spitting out 8 digit pins and you can't use your finger or face to provide a knowledge factor.  

In the next posts I will jump into possession factors.