> 3. Something you are (fingerprint, face, DNA, etc).
Add there your mom's maiden name, your parent's names and you get the point; in an authentication system "something you are" must be better used more as user names rather than passwords because users can't change them. Once they're public irrecoverable attacks may happen.
There are 3 categories of authentication inputs.
(1) Something users can not change
(2) Something users can change
(3) Something the service owners or system admins can change including time synchronized codes.
You better use 1 as usernames, 2 & 3 as passwords.
Fingerprints can be changed as easily as a username. Simply never use the "raw" fingerprint output of the device, instead XOR it with some key (like either something from factors 2 or 3, or simply a static key).
Add there your mom's maiden name, your parent's names and you get the point; in an authentication system "something you are" must be better used more as user names rather than passwords because users can't change them. Once they're public irrecoverable attacks may happen.
There are 3 categories of authentication inputs.
(1) Something users can not change
(2) Something users can change
(3) Something the service owners or system admins can change including time synchronized codes.
You better use 1 as usernames, 2 & 3 as passwords.