Use of second, different, factor type immediately after applying the first one, or when needed.

Factors

1. Knowledge (password)
2. Possession (ID card, security token, smartphone or other device).
3. inherent (biometric, behavior)
4. Location
5. Time

Applications/scenarios

More secure authentication

Permission escalation

Remote vetting

Elements

• Physical devices and tokens, other client devices (sensors or mere USB port)
• Infrastructure and software
  • Vetting, issuance, management, revocation
  • Actual authentication
• Applications, services, authorisation (sometimes also in infrastructure)

Our scope

1st -  Password

2nd - Possession or inherence (what about knowledge from device-based out-of-band communication, software tokens, etc?)

scenario?

with whom?