While we assign authenticators into three common categories, it is important to keep in mind that these categories are somewhat loosely defined. Passwords are normally considered ‘what you know’ authenticators, but if you write it down and refer to the paper instead of memory does it become a ‘what you have’ factor? If a system authenticates using keyboard dynamics to monitor the rhythm and speed of your typing is that relying on ‘what you are’ or ‘what you know’? There can be some reasonable disagreement when deciding how to classify specific authenticators.

Location initially seems like it could be a fourth factor, but is it really? How does a system know your location? It likely relies on coordinates or address (either physical or IP) data provided by a device. Is that data then ‘what you know’ since someone else with that same data can duplicate that factor on their own device? Is it ‘what you have’ since the system relies on the trustworthiness of a device to provide legitimate data? We have to decide whether location is distinct enough to be considered its own independent factor category.

I do think it is important to make a distinction about what constitutes a factor since we use terms like “multi-factor authentication” to indicate the benefits of certain systems. Is it multi-factor if you log into a system with a password from an IP address that is associated with past logins? If we consider location a fourth factor then the answer is yes. However, I haven’t seen many people characterize this as a multi-factor authentication system.

In the paper CASA: Context-Aware Scalable Authentication the authors agree that location data can serve as a factor in the authentication process, but specifically define it as a “passive” factor. They distinguish between “passive” factors and “active” factors that require user interaction (e.g. passwords, fingerprint scans, etc.). This seems like a good way to separate out what are true authentication factors from other data that can be used to help make authentication decisions.

In my opinion location data shouldn’t be considered a fourth factor, but that doesn't prevent it from being useful during the authentication process.