Last reviewed: May July 2015
What Is Two-Factor Authentication?
...
Other requirements for two-factor authentication include Internet banking. For that reason, the Federal Financial Institutions Examination Council (FFIEC) strongly recommends two-factor authentication for consumer online banking services. Specifically, in its Supplement to Authentication in an Internet Banking Environment, under Customer Authentication for High Risk Transactions, it states "Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multi-factor authentication to their business customers."See Client (Personal) Certificates: Should We Be Thinking About Certificate Use Cases or Should We Be Thinking About The Sort of Credential Deployment Model We Need?, a presentation at the AMSAC Open Meeting - Internet2 Member Meeting 2011,
Tip | ||
---|---|---|
| ||
Check out Breaking the Ubiquitous Two-Factor Barrier, presented by Jane Drews (University of Iowa and Quinn Shamblin (Boston University) at the 2015 Security Professionals Conference. For other recent presentations visit access control and identity and access management in the EDUCAUSE library. Learn more about Two-Factor Authentication with Duo Push by visiting the Internet2 NET+ website. Also see Client (Personal) Certificates: Should We Be Thinking About Certificate Use Cases or Should We Be Thinking About The Sort of Credential Deployment Model We Need? (a presentation at the 2011 Internet2 Member Meeting) for questions to ponder when considering deployment of two-factor authentication. |
...
What Technology Is Available?
...
See Mobile One-Time-Passwords (OTP) and , Google Authenticator, and DuoSecurity for information on implementation of OTP via mobile phones. Additional implementation options include:
- SMS push to a preregistered device
- Photograph-the-barcode-on-your-device's screen
- Answer a call made to the individual's mobil phone and hit a specified key
Biometric voice verification
Section border true Column width 50%30% Advantages:
- Since most users are already carrying smartphones, it may be perceived as an easier or more convinient convenient way to authenticate than using tokens or smart cards
- Compatible with a large number of applications
- Easy to use
Column width 50%30% Disadvantages:
- Relatively new technology, not as mature but gaining acceptance
- Some confusion exists regarding the levels of two-factor strength of DTMF tones (out of band) vs one-time-passwords (in band) vs SMS (either or) and vendor available options
- The possibility of cell phone cloning or interception
- There may be locations/situations in which the use of smartphones may not be viable or functional (airplanes? basements?) or may be too expensive (e.g., when travelling overseas and paying international rates/roaming rates)rates)
Column width 30% Who Is Using It (this is just a sample list):
2. Security Tokens
A small device that an individual possesses and controls used to authenticate the individual's identity. It provides the "what you have" component of two-factor authentication since it is used in addition to another piece of evidence (e.g., a password) to prove that individuals are who they claim to be. A token generates a unique code that is combined with an individual's password to create an electronic "ticket" that authenticates the individual and encrypts the transmission to ensure data integrity. Security tokens come in different types. The most common are:
...
Section | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
|
...
Section | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
|
3. Smart Cards
A pocket-sized card, similar to credit card, with embedded integrated circuits that communicate with external devices via a card reader.
...
Section | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
|
4. Biometrics
The use of intrinsic physiological and behavioral characteristics to authenticate a particular individual. Most biometric-based authentication follows a four-step process:
...
Sources: The Biometrics Consortium; The Biometrics Research Group; Biometrics.gov Biometrics Overview; and James Michael Stewart, Ed Tittle, Mike Chapple "CISSP Study Guide", Third Edition
Additional Resources
...
...
Questions or comments? Contact us.
...