Version 1.0: October 2011Last reviewed: May 2015
What Is Two-Factor Authentication?
...
Other requirements for two-factor authentication include Internet banking. For that reason, the Federal Financial Institutions Examination Council (FFIEC) strongly recommends two-factor authentication for consumer online banking services. Specifically, in its Supplement to Authentication in an Internet Banking Environment, under Customer Authentication for High Risk Transactions, it states "Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multi-factor authentication to their business customers."
See Client (Personal) Certificates: Should We Be Thinking About Certificate Use Cases or Should We Be Thinking About The Sort of Credential Deployment Model We Need?, a presentation at the AMSAC Open Meeting - Internet2 Member Meeting 2011, for questions to ponder when considering deployment of two-factor authentication.
...
- One Time Password (OTP) tokens which generate a new password every so many seconds.
- Challenge-Response tokens, which, given an input (such as a random string of numbers) provide a unique response, which can then be validated by the authenticating server
- USB hard tokens. See description below.
- Other technology solutions such as grid cards or Personal Identification Number (PIN) / Transaction Authentication Number (TAN) systems
| Section | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
|
...
A pocket-sized card, similar to credit card, with embedded integrated circuits that communicate with external devices via a card reader.
Smart cards can be programmed to provide identification and authentication services. The most advanced cards include encryption hardware that uses algorithms that support the NIST standard for Personal Identity Verification (FIPS 201) and/or secure Bluetooth-enabled card readers to link smart cards to users' smart phones but the readers can be expensive.
...
- Create a sample of individuals' biometric characteristics during an enrollment process. A profile of an individual's characteristics can be built based on a specific number of samples given.
- Unique data are extracted from the sample and a template is created.
- The template is compared with a new sample provided during authentication.
Access is determined by matching the features extracted from the new sample with those of the template.
Section border true Column width 50% Advantages:
- Strong second factor
- Meet security requirements of integrity and nonrepudiation when combined with digital signatures
Column width 50% Disadvantages:
- Requires relatively more complex and expensive technology
- Requires calibration through multiple image captures to minimize the probability of erroneous rejection of authorized individuals or erroneous acceptance of unauthorized individuals
- Concerns about accuracy, privacy and security of biometric indicators, and potential inconvenience make user acceptance difficult
- Adds complexity to replacement of compromised credentials (e.g., how do you revise the template created from an individual's iris scan or thumbprint)
- Illness or injury might make it difficult or impossible for individuals to authenticate
- Potential accessibility barriers for disabled individuals
...
| Fingerprint Recognition | Signature Characteristics | Palm Scan | Hand Geometry | Retina Scan | Iris Scan | Keyboard Dynamics | Voice Print | Facial Scan |
Description | Examines the unique ridge endings and bifurcations displayed by friction ridges of an individual's fingerprint | Often referred to as dynamic signature verification (DSV), examines how individuals sign their names | Examines the unique creases, ridges, grooves in an individual's hand. Also scans the fingerprints of each finger. | Examines the length and width of an individual's hand. The system compares the geometry of each finger and the hand as a whole | Examines the blood vessel patterns of the retina on the backside of the eyeball | Examines the colored portion of the eye that surrounds the pupil. The iris has unique characteristics (e.g., colors, rings, etc). | Examines the speed and motion used by an individual when typing a specific phrase | Examines an individual's speech sounds and patterns when saying a sequence of words | Examines facial characteristics of an individual - bone structure, nose ridge, eyes width, forehead size, etc. |
Accuracy | High accuracy level, | Low accuracy level |
| Medium/ Low accuracy level despite highly stable pattern over individual life | The most accurate biometric authentication | The second most accurate biometric authentication. Iris remains unchanged throughout life so iris scan has longer useful life. | Low level of accuracy. Subject to significant variances due to changes of behavior and posture | Medium accuracy level. Can be impacted by circumstances like a cold | Medium / low accuracy level. Pretty good at full frontal views but has problems with angle views, profiles, and varying facial expressions |
User acceptance | Average acceptance though it is the most used and most practical biometric | Very high acceptance level. The signature is the most common form of authentication in the paper world | Average acceptance | High acceptance | Least level of user acceptance | Average acceptance | High acceptance | High acceptance | Average acceptance |
Relative Cost | Medium / Low | Medium |
| Medium | High | High | Low | Medium | Medium |
Application interface | Scanner. Easy to use and require little space | Optic pen and touch panel. More sophisticated devices can measure: | Scanner | Scanner. Easy to capture but system requires large physical space | Reader. Requires direct contact with a cup reader | Reader. Does not require direct contact with the reader | Keyboard | Microphone or telephone. Commonly available sensors Hands-free and eyes-free operation | Camera |
Special Requirements |
| Requires individuals to sign their name with a special pen on a sensitized reader or pad |
|
|
| Acquisition of iris image requires more training than most biometrics |
|
|
|
Privacy Concerns | Privacy concerns of criminal implications |
| Same as fingerprint |
| Can reveal personal medical conditions like high blood pressure and pregnancy | None. Does not reveal personal medical conditions |
|
|
|
Sources: The Biometrics Consortium; The Biometrics Research Group; Biometrics.gov Biometrics Overview; and James Michael Stewart, Ed Tittle, Mike Chapple "CISSP Study Guide", Third Edition
...
- SMS push to a preregistered device
- Photograph-the-barcode-on-your-device's screen
- Answer a call made to the individual's mobil phone and hit a specified key
Biometric voice verification
Section border true Column width 50% Advantages:
- Since most users are already carrying smartphones, it may be perceived as an easier or more convinient way to authenticate than using tokens or smart cards
- Compatible with a large number of applications
- Easy to use
Column width 50% Disadvantages:
- Relatively new technology, not as mature but gaining acceptance
- Some confusion exists regarding the levels of two-factor strength of DTMF tones (out of band) vs one-time-passwords (in band) vs SMS (either or) and vendor available options
- The possibility of cell phone cloning or interception
- There may be locations/situations in which the use of smartphones may not be viable or functional (airplanes? basements?) or may be too expensive (e.g., when travelling overseas and paying international rates/roaming rates)
...