'what you know, what you have, what you are' are used in classic authentication. 'what you know', typically are the knowledge only you should know, like password. 'what you have' are the things only you should have, like key card, MFA,. 'what you are' are some biological identities, like your finger print.

Banks servers ordinary people and most useful way to identify those people are 'what you know'. DOB are the most commonly used.

some banks and other organizations start to give up 'what you know' as most people give up too much personal information over social media and bad guys can easily acquire them. now they transfer 'what you have'. like sending you a message and you have to click the link to prove you are the person who you claimed.