Is a fingerprint or face scan an example of 'something you know'?
Short answer
No. The three authentication factor categories are something you know (password/PIN), something you have (token/phone), and something you are (biometrics). A fingerprint or face scan is 'something you are', a measured physical trait. The gotcha: biometrics aren't secrets and can't be rotated — if your fingerprint template leaks, you cannot change your fingerprint. That's why biometrics work best as one factor, often unlocking a local key, rather than as a standalone password replacement.
The trick here is the seductive logic that "my fingerprint is part of me, so I know it." That reasoning collapses the moment you look at how the three authentication factor categories are actually defined.
The three factor categories
Authentication factors are grouped by what kind of thing proves your identity:
- Something you know — a secret in your head: a password, a PIN, an answer to a security question.
- Something you have — a physical possession: a hardware token, a smartphone running an authenticator app, a smart card.
- Something you are — an inherent physical or behavioral trait: a fingerprint, a face geometry, an iris pattern, a voiceprint.
A fingerprint or face scan is measured by a sensor, not recalled from memory. It belongs squarely in something you are. Calling it "knowledge stored in your body" is a category error.
Why the distinction matters
The category isn't trivia — it changes the security properties. A password is a secret you can rotate: leak it, and you change it. A biometric is a trait you cannot rotate. If a fingerprint template is stolen from a database, you cannot issue yourself a new fingerprint. That permanence is exactly why a biometric makes a poor standalone secret.
This is also why well-designed systems don't transmit your raw fingerprint over the network. On a phone, the biometric is matched locally and used to unlock a cryptographic key held in secure hardware; the key, not your print, authenticates you. The biometric is a convenient gate, not the secret itself.
How to use biometrics well
Treat a biometric as one factor among several, ideally paired with something you have (the device) and something you know (a PIN as fallback). True MFA requires factors from different categories — stacking a fingerprint and a face scan is still just "something you are." Used this way, biometrics add strong, user-friendly assurance without pretending to be a rotatable secret.
Likely follow-ups
- Why is 'you can't rotate a leaked biometric' such an important property?
- How does a phone's fingerprint unlock actually protect a local key rather than transmit your print?
- When would combining a biometric with a PIN still count as only one factor?