Multi-factor
authentication
Multi-factor
authentication is a method of multi-faceted access control which a user can
pass by successfully presenting authentication factors from at least two of the
three categories:
• Knowledge factors
(“things only the user knows”), such as passwords or passcodes;
• possession factors (“things only the user has”), such as ATM cards or hardware tokens; and
• inherence factors (“things only the user is”), such as biometrics, (e.g. a fingerprint or retina scan)
• possession factors (“things only the user has”), such as ATM cards or hardware tokens; and
• inherence factors (“things only the user is”), such as biometrics, (e.g. a fingerprint or retina scan)
Knowledge factors are
the most commonly used form of authentication. In this form, the user is
required to prove knowledge of a secret in order to authenticate, such as a
password.
A password is a secret
word or string of characters that is used for user authentication. This is the
most commonly used mechanism of authentication. Many multi-factor
authentication techniques rely on password as one factor of authentication.
Variations include both longer ones formed from multiple words (a passphrase)
and the shorter, purely numeric, personal identification number (PIN) commonly
used for ATM access. Traditionally, passwords are expected be memorized.
Many secret questions
such as “Where were you born?”, are poor examples of a knowledge factor because
they may be known to a wide group of people, or be able to be researched.
Possession factors
include both connected and disconnected tokens. Connected tokens are devices
that are physically connected to the computer to be used, and transmit data
automatically. There are a number of different types, including card readers,
wireless tags and USB tokens. Disconnected tokens have no connections to the
client computer. They typically use a built-in screen to display the generated
authentication data, which is manually typed in by the user.
Inherited factors are
usually associated with the user, and typically include biometric methods,
including fingerprint readers, retina scanners or voice recognition.
Requiring more than one
independent factor increases the difficulty of providing false credentials.
Two-factor authentication requires the use of two of three independent
authentication factors, as identified above. The number and the independence of
factors is important, since more independent factors imply higher probabilities
that the bearer of the identity credential actually does hold that identity.
Multi-factor
authentication is sometimes confused with “strong authentication”. However,
“strong authentication” and “multi-factor authentication”, are fundamentally
different processes. Soliciting multiple answers to challenge questions can
typically be considered strong authentication, but, unless the process also
retrieves “something the user has” or “something the user is”, it is not considered
multi-factor authentication.