Multi-factor authentication

Multi-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor authentication involves two or more factors. Thus, every two-factor authentication is a multi-factor authentication, but not vice versa.

Regulatory Definition

For example, US Federal regulators consistently recognize three authentication factors:

"Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods." -- Federal Financial Institutions Examination Council (FFIEC)^[1]

True multi-factor authentication

"True" multi-factor authentication requires the use of elements from two or more categories. Supplying a user name ("something the user knows") and password (more of "something the user knows") is still single factor authentication, despite the use of multiple pieces of distinct information. An example of true multi-factor authentication is requiring that the user insert a Smart Card into a Smart Card Reader (something the user has) and enter in a Password (something the user knows). Requiring a valid fingerprint (something the user is) via biometric fingerprint reader would add a third factor.

At the same time they are validating the identity of the user, many online sites also attempt to confirm the validity of the site to the user. These systems generally display an image and/or phrase previously selected by the user. The appearance of these elements on the screen gives the user some assurance that the site they are viewing is the actual site they intended to reach, not a fraudulent site to which they may have been lured. While this technique is useful in that it increases the overall security of the session, these elements are not part of the user authentication process.

Regulatory Compliance

Following the U.S. Federal Financial Institutions Examination Council's (FFIEC) publication ^[1] advising the use of multi-factor authentication, numerous vendors began offering authentication solutions to address this mandate. One of these approaches is the challenge/response technique, often coupled with a shared secret image. Since users see only requests for information in the "somthing the user knows" category, many people mistakenly categorize these programs as single factor security. Most challenge/response systems, however, use a technique called Device Identification that relies on the user's PC as "something the user has." In its most effective form, Device Identification utilizes dozens of readily available factors about the user's PC--including information about the operating system, the browser, the IP address, the geo-location, etc.--to determine the likelihood that the current user is the same person who previously accessed the system.

Whether or not such offerings are compliant with the FFIEC's definition of "true multifactor authentication" depends on the sophistication of the device identification methods employed. In June of 2011, the FFIEC published a Supplement to Authentication in an Internet Banking Environment, an update to the original guidance issued in 2005. (See http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf to view the entire supplemental guidance.) In the Device Identification section on page 6 of that supplemental guidance, the FFIEC differentiated between simple device identification and complex device identification, and confirmed the validity of complex device identification as a form of multifactor authentication.

See also

• Authentication
• Authentication server
• Dongle
• Hardware Security Module
• Identity management
• Initiative For Open Authentication
• Mobile Signatures
• Mutual authentication
• Real time locating
• Real time location system
• Software token

References

1. ^ ^{a b} "FFIEC Press Release - October 12, 2005". 2005-10-12. http://www.ffiec.gov/press/pr101205.htm. Retrieved 2011-05-13.