Multi-Factor authentication, or sometimes called strong authentication, is an extension of two-factor authentication. Multi-factor authentication involves two or more factors whereas two factor authentication only involves exactly two factors. There are three basic "factors" in existing authentication methodologies. These "factors" would be something the user knows, something the user has and something the user is. An example of something the user knows is a password or a personal identification number (PIN). Something the user has would be an item like an ATM card, smart card or cellular phone. Something the user is would be a biometric characteristic such as a fingerprint or iris scan.
An example of this kind of authentication is requiring that the user insert something the user has such as a smart card or using a cell phone (something the user has) and entering in a password (something the user knows). This authentication can be taken a step further by adding a third factor such as requiring a valid fingerprint or iris scan (something the user is).
When you are sending your personal information over the internet or over a server, are you confident that these are so-called "secure" networks? Although internet fraud has reportedly dipped in 2010 consumers are still skeptical while doing anything online that involves their personal information. In fact, in 2009 online fraud doubled from the year before.
There was a time when email passwords could be any password you choose, but even now email providers require you to have minimum length keywords and they even rate your password strength. Security is an important concern for most people and as people have needs for stronger passwords, stronger authentication is developed to meet this demand. Passwords are becoming more complex and now require minimum lengths, have symbol requirements and have restrictions to help increase security among users, but that still isn't enough.
Beyond creating more difficult passwords for someone to hack, crack or steal, there are even higher forms of security available. Multi-factor authentication is now being used by major corporations to protect your confidential information online or over their networks. Multi-factor authentication is the solution to data and identity breaches and is much more secure than just a simple one time password.
Two-Factor Authentication
With multi-factor authentication stealing a username and password is not enough. Usernames and passwords are only a single factor authentication method. In a two factor authentication system, the user provides a dual means of identification, one of which is typically a physical token such as a card or cell phone, and the other of which is typically something memorized, such as a security code. The security code is usually a one-time password sent through an SMS text message to your mobile phone, but sometimes two-factor authentication solutions provide proprietary devices that will produce an OTP for you.
Multi-Factor Authentication
Multi factor authentication uses a combination of two or three different ways to authenticate your identity. The first is usually a password (what you know), but can also include your response to a challenge question, known as knowledge based authentication. The second is what you have which could be a physical device such as a smart card or a hardware token that generates one time only passwords. The third is who you are, as indicated by a biometric such as a fingerprint or an iris scan. Almost ever factor approach uses a password, and then combines this with the second or third factor or both. Two-factor authentication is a multi-factor authentication, but not vice versa. With technology growing by leaps and bounds there are not only more ways of stealing your information, but more ways of combating it.
There are three independent factors to multi factor authentication: Something you know, something you have and something you are.
Something You Know
This is the traditional username and password system that we have been using for decades and still use today. This could also be your response to a challenge question, known as knowledge based authentication. With the possibility of being hacked or having your password stolen these days there had to be a more secure way of accessing confidential data. There is key logging software and other types of hardware devices to that have compromised the security of login credentials and personal logins like usernames and passwords.
Something You Have
Something you have consists of utilizing an outside network such as a mobile phone for SMS text messages or a proprietary token that creates one time passwords. Also, still used in some cases is a piece of paper that contains lists of passwords. Have you ever been sent a one-time password to access some sort of personal information such as online banking records or maybe an important account you were locked out of? That would be two-factor authentication through something you have.
Something You Are
Once you have your username, password and OTP there is only one thing left to identify you. With today's technology we can now measure our biological differences. Since everyone is unique like a snowflake utilizing biometrics to obtain access to confidential information is the most secure form of identification. Measuring parts of your body like an iris scan, fingerprints or even the spacing between fingers a security system can now authenticate a user.
Many technology vendors claim to be offering "multi factor authentication solutions" are, in fact, providing single-factor authentication approaches. Most notable are these approaches of the challenge/response approach which is often paired with a shared secret image. These kind of approaches are not true multi factor authentication solutions and are not compliant with the U.S. Federal Financial Institutions Examination Council, which is the formal interagency of the United States government that is empowered to prescribe uniform principles, standards and reports forms for the federal examination of financial institutions.
A true multi factor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple factors from the same category does not constitute multifactor authentication.
Maybe our society in this day and age is being paranoid, but it does not seem that way when everyone knows someone who has been affected by fraud. Trusting our personal data to a simple username and password is like protecting a pile of gold with a chain link fence. This type of authentication is the most effective way to authenticate a user and protect data as it is much harder to compromise combinations of something you know, something you have and something you are.
Mitchel Smith is a authentication security expert who has been in the industry of information technologies for over a decade. He provides authentication information about Two Factor Authentication and Multi Factor Authentication.
