Standards and guidelines that classify authentication methods generally lack a clear basisThe familiar triplet of authentication factors (that isdistinct kinds of authentication) is part of the canon of information security. However, simply counting authentication factors doesn’t tell us much about the strength of any authentication methodMany end users, vendors and regulators use “two-factor authentication” without a clear understanding or definition of the termAny “two factor” method is not automatically good enough, nor is any “single