Daylila
How cybersecurity works

Lesson 2 of 13

Proving who you are

Explain how a system checks you are who you claim to be — the three factors.

01 · Learn · the idea

A website cannot see you. When you log in, it has no idea whether the person at the keyboard is you or a stranger who found your details. All it has is a claim — “I am this account” — and some proof attached to it. The entire question of who gets in comes down to how good that proof is. This is authentication: a system checking that you are who you say you are. Get this idea straight and half of security falls into place.

Identity is a claim; proof is the test

Typing a username is just claiming an identity. Anyone can claim to be you. The username is not a secret — it is often your email, printed on every message you send.

So the claim is free. What guards the account is the proof the system demands next. That proof is the only thing standing between your account and anyone who knows your email. The whole craft of logging in safely is the craft of demanding proof that is easy for you and hard for an impostor.

Three kinds of proof

There are only three families of proof a system can ask for. Every login method ever invented is one of these, or a mix.

Something you know — a password, a PIN, the answer to a secret question. It lives in your head. Its weakness: a thing you know can be guessed, stolen in a leak, watched over your shoulder, or talked out of you.

Something you have — your phone, a little code generator, a plug-in security key, a bank card. It is a physical object in your possession. Its weakness: an object can be lost, stolen, or sometimes copied — but to misuse it, the attacker usually has to physically get it.

Something you are — a fingerprint, a face, a voice. This is biometrics: proof built from your body. Its strength is convenience — you cannot forget your finger. Its weakness is permanent: if a fingerprint is ever copied, you cannot change it. You only get ten, and never any new ones.

Know, have, are. That is the whole alphabet of proof.

Why one kind is never enough

Each family has a hole, and the holes are different — which is exactly the point.

A password (know) can leak in a database breach without you ever noticing. A phone (have) can be stolen but a thief still has to physically take it. A face (are) is hard to fake but impossible to reset once faked. No single family is safe, because each can fail on its own.

The trick is to demand proof from two different families at once. Now an attacker has to beat two unrelated holes in the same moment. The crook who phished your password still needs your physical phone. The pickpocket with your phone still needs the password in your head. Each proof covers the other’s weakness. This is the heart of two-factor login, and we give it a full lesson later.

One warning that catches people out: two proofs of the same family is not two factors. A password plus a memorable secret question is still two things you know — one leak, one shoulder-surf, and both are gone. Strength comes from mixing the families, not from stacking more of one.

A worked example: the cash machine

You already use two factors every day without naming it. A cash machine asks for your card — something you have — and your PIN — something you know.

Walk through why that pairing is strong. A thief who steals your card has the “have” but not the “know”; the card is a useless rectangle without the four digits. A nosy neighbour who watches you type your PIN has the “know” but not the “have”; the number is useless without the card in hand. To take your cash, someone needs both at the same time — the physical card and the secret in your head. Two families, two different things to defeat. That is why a stolen card alone rarely empties an account.

A passport at a border is the same shape: a document you have plus a face you are. Two families again.

On the whole

Every gate you pass through online is asking the same quiet question: can you prove the claim? And the answer is only ever one of three kinds of proof, or a mix — something you know, something you have, something you are.

Seeing authentication this clearly changes how you read every security choice you meet. A login with only a password is leaning its whole weight on one family, the leakiest one. Adding a code from your phone is not fussy extra security theatre — it is closing a different hole with a different kind of proof. You are one identity standing inside a vast web of systems that have never met you and never will. The proof you offer is the only “you” they can see.

02 · Try · the lab

03 · Check · quick quiz

1. A login asks for your password and then the answer to 'What was your first school?'. How many factor families is that?

  • One family — both are 'something you know', so a single leak can defeat both
  • Two factors — that's strong two-factor login
  • Three factors — password, question, and answer
  • Two factors, because they are two separate boxes to type in
Answer

One family — both are 'something you know', so a single leak can defeat both — Both a password and a secret answer are 'something you know'. Stacking two of the same family isn't real two-factor — one breach or one shoulder-surf can take both. Strength comes from mixing different families.

2. Why is a fingerprint a riskier secret to have leaked than a password?

  • Fingerprints are easier to guess than passwords
  • A password can be changed after a leak; a fingerprint is permanent and can never be reset
  • Fingerprints aren't really used for security
  • A leaked password is actually worse
Answer

A password can be changed after a leak; a fingerprint is permanent and can never be reset — Biometrics are 'something you are'. Their convenience is that you can't forget them — but that's also the danger. If a fingerprint is ever copied, you can't issue a new one. You only get ten, for life.

3. A cash machine asks for your card and your PIN. Why does this stop a thief who steals just your card?

  • The card is encrypted so it can't be read
  • Cash machines photograph every user
  • The card alone is 'something you have'; without the PIN ('something you know'), they're missing a second, different family of proof
  • The card stops working the moment it's reported stolen, instantly
Answer

The card alone is 'something you have'; without the PIN ('something you know'), they're missing a second, different family of proof — Card plus PIN is two different families — have plus know. A stolen card covers only one; the thief still needs the secret in your head. Each proof covers the other's weakness, which is why combining families is strong.