A bedrock element of IT security involves granting and restricting access. When we think of access, we generally think of user names, PINs, and passwords — the mainstays of identity authentication in the information age. We use them all the time throughout the course of the day: accessing our devices, networks, local applications, and cloud apps.

For people who spend a lot of time thinking about information security, things like passwords, user names, and security questions constitute one type (one factor) of authentication. Namely, these are all things the user knows.

The federal government recognizes three distinct authentication factors: things you know (passwords, answers to security questions), things you have (keys, swipe card), and things you are (i.e., physical traits such as eye color, fingerprints). Adding a second factor offers a significant jump in security. A third factor — facial recognition or iris scan, for example — offers an even greater deterrent against unauthorized access. Military and intelligence agency networks are often guarded by three-factor authentication.

For a network or application to qualify as having “multi-factor authentication,” the user must be required to clear two out of three authentication factors.

There’s a lot of confusion about what qualifies as multi-factor authentication and what doesn’t. For example, if you’re required to type seven passwords to access an application, there’s still only one factor of authentication between you and the app — that’s because those passwords are all things you know.

Now to Facebook. Recently, the social network rolled out a multi-factor authentication process, which it calls “log-in approval.” When a Facebook user tries to access her account from an unrecognized computer, Facebook sends a unique, one-time code via text message to her mobile device. She then inputs the validation code and is granted access to the social network.

At first blush, this looks a lot like single factor authentication. The code is another bit of information the user knows, right? The difference is that the user must have his cell phone in order to receive the randomly-generated code. With two out of three factors, Facebook’s “log-in approval” scheme meets the multi-factor standard.

We’ll conclude with a question for you to ponder: Would you feel more secure or less secure if Facebook rolled out three-factor authentication?