Key insight
A password is one proof, and one proof is easy to steal. Multi-factor authentication asks for a second proof of a different kind — something you know, something you have, something you are — so one theft is no longer enough. Not all factors are equal, and an AI agent's version is a short-lived, non-copyable credential plus continuous verification.
Authentication just means proving you are who you claim to be. A password is one way to prove it — but a password is only knowledge, and knowledge can be stolen, guessed, or tricked out of you without your ever knowing. Multi-factor authentication fixes this by asking for more than one different kind of proof, so that stealing just one is no longer enough. This article explains the three kinds of proof, why mixing them is the whole point, and what all this means for AI agents.
1 · Authentication, and why one proof is weak
A single password is a single point of failure: capture it once — by guessing, by a leaked database, or by a convincing fake login page — and the attacker is indistinguishable from you. Nothing about a password proves the person typing it is actually you; it only proves that whoever typed it knows it. That is the gap multi-factor authentication is built to close.
2 · The three kinds of proof
- Something you know. A password or a personal identification number (PIN) — a secret held in your head.
- Something you have. Your actual phone, or a small physical security key — an object in your possession.
- Something you are. Your fingerprint or your face — a physical characteristic of your body.
3 · Why mixing categories is the whole point
The power comes specifically from combining kinds that are different from one another. A password plus a code from your phone is strong because an attacker would need to both steal your password and physically possess your phone — two very different thefts that are hard to pull off together. Two passwords, by contrast, are not multi-factor at all, because they are both the same kind of proof — both just knowledge — so a single trick, like one fake login page, can capture both at once. “Multi” here means multiple categories, not merely multiple secrets.
4 · Why not all second factors are equally strong
Adding a second factor helps, but the choice of second factor matters. A code sent by text message is far better than nothing, but it can be intercepted or phished — a fake login page can simply ask you to type the code too, and relay it. A physical security key that must be tapped is much harder to fool, because it proves possession in a way a remote attacker cannot fake and, importantly, it refuses to hand its proof to a fake website at all. So “we have multi-factor” is a good start, but “which second factor” is the follow-up question that decides how strong it really is.
5 · A worked example: one stolen password, stopped
An attacker phishes an employee’s password through a convincing fake login page. With only a password protecting the account, they are now in. With multi-factor authentication using a physical security key, they are not: the account also demands proof of possession of the employee’s key, which the attacker does not have and cannot obtain remotely. The stolen password, which was the whole prize a moment ago, is suddenly worth very little on its own. That is the entire point — a single stolen secret is no longer enough to get in.
6 · What multi-factor means for an AI agent
An AI agent has no fingers to tap a phone and no face to scan, so the human form of multi-factor does not apply directly — but the underlying principle does. An agent’s version of “something you have” is a securely stored credential unique to it, ideally one that is short-lived and cannot be copied out of where it lives. And an agent’s version of proving identity on every action is continuous verification — checking the agent’s identity and the specific request on every call, rather than trusting a single one-time login. The principle carries over exactly: never let a single stolen secret be enough, for a person or for an agent.
7 · A simple test you can run this week
1. Pick one important account, or one AI agent’s access.
2. Ask: if its single main secret were stolen today, would that alone be enough to get in?
3. If yes, it is single-factor — add a second factor of a different kind.
4. For factors you already have, ask whether they are phishable (text code) or phishing-resistant (security key).
8 · Glossary — every short-form term, spelled out
- Authentication
- Proving you are who you claim to be.
- Multi-factor authentication (MFA)
- Requiring more than one different kind of proof of identity, so stealing one is not enough.
- Factor
- One kind of proof — something you know, something you have, or something you are.
- PIN (personal identification number)
- A short numeric secret; a "something you know" factor.
- Phishing-resistant factor
- A second factor, like a physical security key, that a fake login page cannot trick out of you.
- AI agent
- Software that decides, on its own, which tools to call and which actions to take in order to complete a task.
Authentication proves who you are; a password alone is one proof and easy to steal.
Three kinds of proof: something you know, something you have, something you are.
Strength comes from mixing categories — two passwords are not multi-factor.
Not all second factors are equal (a texted code is phishable; a security key is not), and an AI agent's version is a short-lived, non-copyable credential plus continuous verification.
References
- NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, National Institute of Standards and Technology. csrc.nist.gov