Multi-factor authentication
Encyclopedia
Multi-factor authentication, sometimes called strong authentication
, is an extension of two-factor authentication
. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor authentication involves two or more factors. Thus, every two-factor authentication is a multi-factor authentication, but not vice versa.
At the same time they are validating the identity of the user, many online sites also attempt to confirm the validity of the site to the user. These systems generally display an image and/or phrase previously selected by the user. The appearance of these elements on the screen gives the user some assurance that the site they are viewing is the actual site they intended to reach, not a fraudulent site to which they may have been lured. While this technique is useful in that it increases the overall security of the session, these elements are not part of the user authentication process.
(FFIEC) publication advising the use of multi-factor authentication, numerous vendors began offering authentication solutions to address this mandate. One of these approaches is the challenge/response technique, often coupled with a shared secret image. Since users see only requests for information in the "somthing the user knows" category, many people mistakenly categorize these programs as single factor security. Most challenge/response systems, however, use a technique called Device Identification that relies on the user's PC as "something the user has." In its most effective form, Device Identification utilizes dozens of readily available factors about the user's PC--including information about the operating system, the browser, the IP address, the geo-location, etc.--to determine the likelihood that the current user is the same person who previously accessed the system.
Whether or not such offerings are compliant with the FFIEC's definition of "true multifactor authentication" depends on the sophistication of the device identification methods employed. In June of 2011, the FFIEC published a Supplement to Authentication in an Internet Banking Environment, an update to the original guidance issued in 2005. (See http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf to view the entire supplemental guidance.) In the Device Identification section on page 6 of that supplemental guidance, the FFIEC differentiated between simple device identification and complex device identification, and confirmed the validity of complex device identification as a form of multifactor authentication.
Strong authentication
Strong authentication is a notion with several unofficial definitions; is not standardized in the security literature.Often, strong authentication is associated with two-factor authentication or more generally multi-factor authentication...
, is an extension of two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor authentication involves two or more factors. Thus, every two-factor authentication is a multi-factor authentication, but not vice versa.
Regulatory Definition
For example, US Federal regulators consistently recognize three authentication factors:
"Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods." -- Federal Financial Institutions Examination Council (FFIEC)
True multi-factor authentication
"True" multi-factor authentication requires the use of elements from two or more categories. Supplying a user name ("something the user knows") and password (more of "something the user knows") is still single factor authentication, despite the use of multiple pieces of distinct information. An example of true multi-factor authentication is requiring that the user insert a Smart Card into a Smart Card Reader (something the user has) and enter in a Password (something the user knows). Requiring a valid fingerprint (something the user is) via biometric fingerprint reader would add a third factor.At the same time they are validating the identity of the user, many online sites also attempt to confirm the validity of the site to the user. These systems generally display an image and/or phrase previously selected by the user. The appearance of these elements on the screen gives the user some assurance that the site they are viewing is the actual site they intended to reach, not a fraudulent site to which they may have been lured. While this technique is useful in that it increases the overall security of the session, these elements are not part of the user authentication process.
Regulatory Compliance
Following the U.S. Federal Financial Institutions Examination Council'sFederal Financial Institutions Examination Council
The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body of the United States government empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal...
(FFIEC) publication advising the use of multi-factor authentication, numerous vendors began offering authentication solutions to address this mandate. One of these approaches is the challenge/response technique, often coupled with a shared secret image. Since users see only requests for information in the "somthing the user knows" category, many people mistakenly categorize these programs as single factor security. Most challenge/response systems, however, use a technique called Device Identification that relies on the user's PC as "something the user has." In its most effective form, Device Identification utilizes dozens of readily available factors about the user's PC--including information about the operating system, the browser, the IP address, the geo-location, etc.--to determine the likelihood that the current user is the same person who previously accessed the system.
Whether or not such offerings are compliant with the FFIEC's definition of "true multifactor authentication" depends on the sophistication of the device identification methods employed. In June of 2011, the FFIEC published a Supplement to Authentication in an Internet Banking Environment, an update to the original guidance issued in 2005. (See http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf to view the entire supplemental guidance.) In the Device Identification section on page 6 of that supplemental guidance, the FFIEC differentiated between simple device identification and complex device identification, and confirmed the validity of complex device identification as a form of multifactor authentication.
See also
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- Authentication serverAuthentication serverAuthentication servers are servers that provide authentication services to users or other systems via networking. Remotely placed users and other servers authenticate to such a server, and receive cryptographic tickets...
- DongleDongleA software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
- Hardware Security ModuleHardware Security ModuleA hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
- Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- Initiative For Open AuthenticationInitiative For Open AuthenticationInitiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
- Mobile SignatureMobile signatureA mobile signature is a digital signature generated either on a mobile phone or on a SIM card.-Origins of the term:mSignThe term first appeared in articles introducing mSign . It was founded in 1999 and comprised 35 member companies...
s - Mutual authenticationMutual authenticationMutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...
- Real time locating
- Real time location system
- Software tokenSoftware tokenA software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone...