Multi-factor authentication


Multi-factor authentication

Multi-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor authentication involves two or more factors. Thus, every two-factor authentication is a multi-factor authentication, but not vice versa.

Contents

Regulatory Definition

For example, US Federal regulators consistently recognize three authentication factors:

"Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods." -- Federal Financial Institutions Examination Council (FFIEC)[1]

True multi-factor authentication

"True" multi-factor authentication requires the use of elements from two or more categories. Supplying a user name ("something the user knows") and password (more of "something the user knows") is still single factor authentication, despite the use of multiple pieces of distinct information. An example of true multi-factor authentication is requiring that the user insert a Smart Card into a Smart Card Reader (something the user has) and enter in a Password (something the user knows). Requiring a valid fingerprint (something the user is) via biometric fingerprint reader would add a third factor.

At the same time they are validating the identity of the user, many online sites also attempt to confirm the validity of the site to the user. These systems generally display an image and/or phrase previously selected by the user. The appearance of these elements on the screen gives the user some assurance that the site they are viewing is the actual site they intended to reach, not a fraudulent site to which they may have been lured. While this technique is useful in that it increases the overall security of the session, these elements are not part of the user authentication process.

Regulatory Compliance

Following the U.S. Federal Financial Institutions Examination Council's (FFIEC) publication [1] advising the use of multi-factor authentication, numerous vendors began offering authentication solutions to address this mandate. One of these approaches is the challenge/response technique, often coupled with a shared secret image. Since users see only requests for information in the "somthing the user knows" category, many people mistakenly categorize these programs as single factor security. Most challenge/response systems, however, use a technique called Device Identification that relies on the user's PC as "something the user has." In its most effective form, Device Identification utilizes dozens of readily available factors about the user's PC--including information about the operating system, the browser, the IP address, the geo-location, etc.--to determine the likelihood that the current user is the same person who previously accessed the system.

Whether or not such offerings are compliant with the FFIEC's definition of "true multifactor authentication" depends on the sophistication of the device identification methods employed. In June of 2011, the FFIEC published a Supplement to Authentication in an Internet Banking Environment, an update to the original guidance issued in 2005. (See http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf to view the entire supplemental guidance.) In the Device Identification section on page 6 of that supplemental guidance, the FFIEC differentiated between simple device identification and complex device identification, and confirmed the validity of complex device identification as a form of multifactor authentication.

See also

References

  1. ^ a b "FFIEC Press Release - October 12, 2005". 2005-10-12. http://www.ffiec.gov/press/pr101205.htm. Retrieved 2011-05-13. 

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Two-factor authentication — (TFA, T FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi factor authentication, which is a defense in …   Wikipedia

  • Security token — Several types of security tokens with a penny for scale …   Wikipedia

  • Password manager — A password manager is software that helps a user organize passwords and PIN codes. The software typically has a local database or a file that holds the encrypted password data for secure logon onto computers, networks, web sites and application… …   Wikipedia

  • Speaker recognition — Voice recognition redirects here. For software that converts speech to text, see Speech recognition. Speaker recognition is the computing task of validating a user s claimed identity using characteristics extracted from their voices. There is a… …   Wikipedia

  • Media discontinuity — The term media discontinuity or media disruption refers to switching between different media within the same process of information processing or acquisition. The person seeking (or processing) information is thereby forced to change their… …   Wikipedia

  • Mobile virtual private network — A mobile virtual private network (mobile VPN or mVPN) provides mobile devices with access to network resources and software applications on their home network, when they connect via other wireless or wired networks. Mobile VPNs are used in… …   Wikipedia

  • List of OpenID providers — This article gives a list of OpenID providers. Password based providers * Google: a user s Google Account can be used as an OpenID (via Blogger URL, e.g. http://username.blogspot.com) [ [http://bloggerindraft.blogspot.com/2008/01/new feature… …   Wikipedia

  • Credit card fraud — Personal finance Credit and debt Pawnbroker Student loan Employment contract Salary Wage Empl …   Wikipedia

  • Time-based One-time Password Algorithm — TOTP (Time based One Time Password Algorithm, RFC 6238.) OATH алгоритм создания одноразовых паролей для защищенной аутентификации, являющийся улучшением HOTP (HMAC Based One Time Password Algorithm). Является алгоритмом односторонней… …   Википедия

  • MFA — may refer to: An academic degree or professional field: Masters of Finance and Accounting Master of Financial Analysis Master of Fine Arts Material Flow Accounting Material Flow Analysis A concept or phrase: Made For Ads Made for AdSense An… …   Wikipedia