There is this nice diagram illustrating the various authentication mechanism.
2. Something you have (for example, a mobile phone or a token).
3. Something you are (for example, a fingerprint or other biometric data).
Generally, combining multiple authentication factors results in a higher Level of Assurance (LoA) that the individual attempting to authenticate is actually the individual in question. Because even if one of the factors has been compromised, the chances of the other factor also being compromised are low.
Authentication mechanisms can also be distinguished by whether they use the same channel where the user accesses the application, or a separate channel that’s dedicated for authentication.
In the market today, there is yet another type of authentication which is picking up traction - Risk Authentication.
I have this nice diagram from CA Risk Authentication data sheet.
CA Risk Authentication can detect suspicious activity for consumer and enterprise online services without burdening users. This multi-channel risk assessment solution transparently detects and prevents fraud before losses occur.
This usually works together with MFA solutions for Step-Up Authentication.
Technical aside, what's the business case for using MFA and Risk Authentication?
Compliance regulations and industry guidelines are increasing their emphasis on stronger authentication to protect data. Organizations do not want to deploy overbearing authentication systems that require repetitive user interaction because of the negative affect on user experience, which impacts both the adoption of online services and customer loyalty.
The overall challenge is to detect and block fraudulent activity before losses occur with minimal impact to users.