“First, Englander recommended using true multifactor authentication (MFA) incorporating biometrics as one of three factors for authentication. But true MFA, he warned, requires at least three factors: one each of inherence, the “what you are,” or biometric factor; knowledge, or “what you know,” usually a password; and possession, or “what you have,” usually a token of some sort. “Without all three, it’s not true MFA.”
“Three is better than one,” Englander said, noting that if you have three factors, even if the biometric factor has been compromised, the other factors can change. If the only factor being considered is the biometric, that is not safe, but even when a compromised biometric is used with two other factors, they all together can produce a strongly authenticated result even if none of the individual factors by themselves can be fully trusted.
“All these things together by themselves aren’t super secure but if you put them together they’re fantastically secure.””