Knowledge + Possession are relatively easy factors to achieve. Using a TOTP system with a phone or other device, via either a text or a client installed on the device is a pretty good way to achieve the Possession factor. Unfortunately, the "Inference" factor is more difficult. Biometric access for Web applications, using fingerprint, facial recognition, or voice recognition, is a challenge to achieve and be functionally useful. Voice is the most promising, but at this point, requires significant hardware investment for the processing and comparison.
I definitely want to look into 3FA, or even enabling something like a Time and / or Location based authentication mechanism. It will likely be an optional item that can be activated on an account by account basis, if we decide to include it. If you have any thoughts on doing 3FA, please let us know.
Justin R. Donnaruma
I'm no expert on it and a lot of people think it is probably overkill. I am aware of it being used in quite a lot of high security facilities dealing with for example medical research and there is even 4FA (where they might add location factors to biometrics) for super high risk stuff (dealing with dangerous agents/microbes etc). It is only a matter of time before someone starts implementing it for more common applications- a more basic way would be using existing finger print scanners on phones and tablets as this is already quite well implemented. Also the location or proximity based approach could also be effective if the biometric approach isn't viable yet.