Strong authentication means a user provides two or more of the following when requesting access:
- Something only the user has (a token in mobile app)
- Something only the user knows (a 4 digit pin)
- Somewhere the user is (a known time or place)
For maximum security you should ideally authenticate with something you know, something you have, and something you are. Typically that would be a password, a physical device of some sort, and a biometric like a fingerprint. For the moment the industry appears to be content with just two factor authentication, which could be any two out of these three.