[u801e]

> How do two parties mutually verify, authenticate each other online?

We verify the server's identity though it's public certificate that's signed by a certificate authority. The server can verify the client's identity via a public client certificate that's signed by an authority the server trusts. It's already possible to do this over a TLS connection.

[specialist]

Sorry, I wasn't being clear.

If the finger print is what you are, and password is what you know, then what is the "what you have"?

Mostly I'm curious if that sci-fi books' "three factor auth" scheme (because I don't know what else to call it) is a feasible model.

[u801e]

> If the finger print is what you are, and password is what you know, then what is the "what you have"?

One possible form of "three factor auth" would be to use a passphrase for the private key, the client certificate to connect with the server over TLS, and a username/password login at the application level.

The certificate/certificate fingerprint is what you have, the password and passphrase are two things that you know. I don't know what would fit under the "what you are" category though (unless you're considering some sort of biometric based method).