[nsheridan]

An SSH private key isn't "something you have" - it's not a physical object, you can make copies of it.

To me it falls into "something you know". You might not be able to type it from memory into a file but in practical terms it's no different to a password, it just usually happens to reside on disk.

[mstolpm]

A physical key to your front door is a physical object and something you own - but you can still make copies of it. Someone else can even make a copy from a photo of the key. Google authenticator was (until recently) the only app I know that made it very hard to copy the OAuth secret to another device, lots of other OAuth apps made it a feature to sync/backup your keys.

I can't think of a lot of security factors (besides perhaps biometrics) where copying is really impossible. Its just not economic.

[growse]

Very little is "impossible". The point of developing a good second factor is to have a design that makes it economically infeasible to copy. Like a good HSM.

[charcircuit]

A physical key is something you know too if it can be copied. It's just now the thing you know is the bitting of the key.

[saltcured]

This seems like a pretty significant semantic shift from what multi-factor originally meant. I think the real problem here is that the original idea of factors came from an environment where a person is being authorized for physical access to a controlled facility and the factors are being checked by a trusted deputy of the relying party. The different factors really mean something when you are being checked at a facility gate.

What you "know" is held in your mind and up to your will whether to divulge or not. You might not have a choice if put under duress.

What you "have" is possessed on your person and you may choose to present it but you may be forced to reveal it in a search. You may have had a choice as to which possessions to carry with you to the facility or which to hide and disavow.

What you "are" are passively observable characteristics of yourself that the facility may choose to measure and which may be difficult for an imposter to replicate. You would probably be unable to withhold these characteristics.

Once we water this down into a remote access to a website, these factors become vague analogies. In the end, the website is only able to observe information from the local user agent. How much can the website deputize end-user equipment and trust it to make any of these distinctions on its behalf?

What you know and what you have start to blur together as different grades of information. There may be no real way for the website to distinguish whether it came from your mind or from some storage or communication device in your possession.

What you are and what you have start to blur together as well. There may be no way for the website to distinguish how you protected your possessions (i.e. via biometrics or PIN), or whether you involved other parties who helped with this.

[vasco]

It is something you have, the machine where the file is. It's only something you know if the only way for me to steal it from you is to threaten you to say it. If I can just yank your open laptop from your lap in a cafe, it's something you have.

[charcircuit]

If you are able to copy it off the laptop it becomes something you know. One important property about something you have is that you the owner of the account have that thing in your possession then no one can hack you. If someone is able to copy it then that invariant is not true.

Writing your password on a piece of paper doesn't turn that password into something you have.

[vasco]

It literally does. Now whoever _has_ that piece of paper can get to your account. A physical piece of paper with a password written on it is no different from a physical key. Unless you're going to say that if you memorise the indentations on your house key then your key is "something you know" too.

[charcircuit]

If the attacker screenshots the note they can login to your account without HAVING that note. Yes, a house key is something you know.