Version 1.0: October 2011
It is the use of two independent means of evidence (factors) to assert the identity of a user requesting access to some application or service to the organization that provides the application or service. The objective of two-factor authentication, as a method of electronic computer authentication, is to decrease the probability that the requestor is not who he/she claims to be (i.e., providing false evidence of his/her identity.) Two-factor authentication is achieved by a combination of any two of the three "Somethings" below:
Something you know
Something you have
Something you are
Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information involve a single factor - something you know.
The use of two-factor authentication has been pervasive and ubiquitous for quite a long time already. Any person who has used an ATM machine to withdraw cash for a bank account has used two factor authentication – you had to provide something you had (a card) and had to provide something you know (a PIN) in order to complete the transaction.
The subtle difference is that, while two-factor authentication uses exactly two factors to assert the identity of a user, multi-factor authentication uses two or more factors to assert identity. In essence, two-factor authentication is a subset of multi-factor authentication. An example of multi-factor authentication would be the requirement to insert a smart-card (something you have) into a smart-card reader, enter a PIN (something you know), and provide a valid fingerprint (something you are) provided via a biometric fingerprint reader. This example uses three factors to assert the identity of a user.
Privacy, and the threat of identity theft, is increasingly a concern as more of personal information finds its way to online applications. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking, consequently, no longer providing adequate protection for mission-critical information system and applications containing Personally Identifiable Inforrmation (PII), Personal Health Information (PHI), and other confidential information. Some specific concerns:
See Passwords, a presentation at the NWACC Security Conference 2009, for a in-depth review of all the reasons why it makes good business sense to consider two-factor authentication as alternative to traditional passwords.
Compliance is also driving adoption of two-factor authentication in other areas – three examples:
Other requirements for two-factor authentication include Internet banking. For that reason, the Federal Financial Institutions Examination Council (FFIEC) strongly recommends two-factor authentication for consumer online banking services. Specifically, in its Supplement to Authentication in an Internet Banking Environment, under Customer Authentication for High Risk Transactions, it states "Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multi-factor authentication to their business customers."
See Client (Personal) Certificates: Should We Be Thinking About Certificate Use Cases or Should We Be Thinking About The Sort of Credential Deployment Model We Need?, a presentation at the AMSAC Open Meeting - Internet2 Member Meeting 2011, for questions to ponder when considering deployment of two-factor authentication.
A small device that an individual possesses and controls used to authenticate the individual's identity. It provides the "what you have" component of two-factor authentication since it is used in addition to another piece of evidence (e.g., a password) to prove that individuals are who they claim to be. A token generates a unique code that is combined with an individual's password to create an electronic "ticket" that authenticates the individual and encrypts the transmission to ensure data integrity. Security tokens come in different types. The most common are:
Hardware Tokens: Physical devices small enough to be carried in a pocket or attached to a keychain. They may store digital credentials, a digital certificate, or digitized biometric data (e.g., a fingerprint). Some hardware tokens include input and output intefaces like a small keypad to enter a PIN or a button to generated a key number and a display window to show it. They can also include a Bluetooth wireless interface to enable transfer of the generated key number to a client system.
Hardware tokens also come in different types. Some of the most common are:
|
USB Token: A specific type of hardware token designed to include a Universal Serial Bus (USB) connector. A USB port is standard equipment on today's computers. USB tokens are normally used to store digital certificates. They plug into a computer's USB port and, in some cases, individuals are prompted to enter their PIN to unlock/pass the digital certificate.
Some USB tokens may need drivers to be installed while others may come with self-installing drivers but that only work with certain versions of Windows.
|
Software Tokens: Non-physical device that is stored on a desktop computer, laptop, Personal Digital Assistant (PDA), or mobile phone. As in the case of hardware tokens, they may store digital credentials or a digital certificate.
|
A pocket-sized card, similar to credit card, with embedded integrated circuits that communicate with external devices via a card reader.
Smart cards can be programmed to provide identification and authentication services. The most advanced cards include encryption hardware that uses algorithms that support the NIST standard for Personal Identity Verification (FIPS 201) and/or secure Bluetooth-enabled card readers to link smart cards to users' smart phones but the readers can be expensive.
Similar to USB tokens, they also provide the "what you have" component of two-factor authentication since with a smart card an individual authenticates by using a PIN in combination with a smart card that contains the individual-specific information.
|
The use of intrinsic physiological and behavioral characteristics to authenticate a particular individual. Most biometric-based authentication follows a four-step process:
|
|
Fingerprint Recognition |
Signature Characteristics |
Palm Scan |
Hand Geometry |
Retina Scan |
Iris Scan |
Keyboard Dynamics |
Voice Print |
Facial Scan |
Description |
Examines the unique ridge endings and bifurcations displayed by friction ridges of an individual's fingerprint |
Often referred to as dynamic signature verification (DSV), examines how individuals sign their names |
Examines the unique creases, ridges, grooves in an individual's hand. Also scans the fingerprints of each finger. |
Examines the length and width of an individual's hand. The system compares the geometry of each finger and the hand as a whole |
Examines the blood vessel patterns of the retina on the backside of the eyeball |
Examines the colored portion of the eye that surrounds the pupil. The iris has unique characteristics (e.g., colors, rings, etc). |
Examines the speed and motion used by an individual when typing a specific phrase |
Examines an individual's speech sounds and patterns when saying a sequence of words |
Examines facial characteristics of an individual - bone structure, nose ridge, eyes width, forehead size, etc. |
Accuracy |
High accuracy level, |
Low accuracy level |
|
Medium/ Low accuracy level despite highly stable pattern over individual life |
The most accurate biometric authentication |
The second most accurate biometric authentication. Iris remains unchanged throughout life so iris scan has longer useful life. |
Low level of accuracy. Subject to significant variances due to changes of behavior and posture |
Medium accuracy level. Can be impacted by circumstances like a cold |
Medium / low accuracy level. Pretty good at full frontal views but has problems with angle views, profiles, and varying facial expressions |
User acceptance |
Average acceptance though it is the most used and most practical biometric |
Very high acceptance level. The signature is the most common form of authentication in the paper world |
Average acceptance |
High acceptance |
Least level of user acceptance |
Average acceptance |
High acceptance |
High acceptance |
Average acceptance |
Relative Cost |
Medium / Low |
Medium |
|
Medium |
High |
High |
Low |
Medium |
Medium |
Application interface |
Scanner. Easy to use and require little space |
Optic pen and touch panel. More sophisticated devices can measure: |
Scanner |
Scanner. Easy to capture but system requires large physical space |
Reader. Requires direct contact with a cup reader |
Reader. Does not require direct contact with the reader |
Keyboard |
Microphone or telephone. Commonly available sensors Hands-free and eyes-free operation |
Camera |
Special Requirements |
|
Requires individuals to sign their name with a special pen on a sensitized reader or pad |
|
|
|
Acquisition of iris image requires more training than most biometrics |
|
|
|
Privacy Concerns |
Privacy concerns of criminal implications |
|
Same as fingerprint |
|
Can reveal personal medical conditions like high blood pressure and pregnancy |
None. Does not reveal personal medical conditions |
|
|
|
Sources: The Biometrics Consortium; The Biometrics Research Group; Biometrics.gov Biometrics Overview; and James Michael Stewart, Ed Tittle, Mike Chapple "CISSP Study Guide", Third Edition
Though similar to two-factor authentication but different, second channel authentication allows individuals to use their mobile phone as a security token (i.e., what you have.) A Java application installed on the mobile phone performs the functions normally provided by a security token. Other methods of using the cell phone include using Short Message Service (SMS) messaging, prompting an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS. Second channel authentication uses a mobile phone via a cellular network in addition to the computing device connected via an IP connection. This authentication method is already in use in online shopping, with Google's version of two-factor authentication built within the Google shopping cart.
See Mobile One-Time-Passwords (OTP) and Google Authenticator for information on implementation of OTP via mobile phones. Additional implementation options include:
|
Survey Demographics
Name |
Count |
Average |
Median |
Min |
Max |
Employees |
67 |
9,082 |
6,000 |
500 |
40,000 |
Students |
57 |
27,500 |
25,000 |
1,800 |
107,160 |
2-factor campus users |
29 |
775 |
175 |
4 |
8,000 |
Annual Cost ($) |
23 |
18,574 |
10,000 |
0 |
75,000 |
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).