Two-factor authentication

Two-factor authentication (TFA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security. From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.

Qualified authentication factors

An authentication factor is a piece of information and synonymic for the process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authentication. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor authentication typically is a signing-on process where a person proves his or her identity with two of the three methods: "something you know" (e.g., password or PIN), "something you have" (e.g., smartcard or token), or "something you are" (e.g., fingerprint or iris scan).

Using more than one factor is sometimes called "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication.

Improvement with two factor authentication

Two-factor authentication is not a new concept. Two-factor authentication has been used throughout history by having a known person utter a password. The first factor is the password, and the second would often be the presentation and demeanor of the requestor as reasonable given the circumstances of his arrival. When a bank customer visits a local ATM, one authentication factor is the physical ATM card the customer slides into the machine. The second factor is the PIN they enter. Without one of these, authentication cannot take place. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.

Regulatory Definition

Details for authentication in USA are defined with the Homeland Security Presidential Directive 12 (HSPD-12).

Existing authentication methodologies involve the explained three types of basic “factors”. Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods.

According to proponents, TFA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief permanent access to their information. However, many TFA approaches remain vulnerable to trojan controlled websites and man in the middle attacks.

Types of Authentication that can be used as a second factor

Tokens

One form of 'something you have' is the smart card and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.

Wireless Tokens

A new quality of tokens has been developed to ease the authentication process without keying character sequences and with automatic pairing of authentication factors. Presumed the bearer of the authentication factors prepares himself in good separation from other similar entities, the achieved pairing status may be maintained for all the daytime and especially during worktime without repetition of the pairing process. Then the problem of lost laptop or left phone may be prevented by automatic alarm in case of unwanted access of arms length. However the wireless communication of the authentication factors involved defines other threats to be considered according to Common Criteria.

Masking

A variation on "something you know", that is resistant to keystroke logging and shoulder surfing, is the ability to use a mask to extract a One Time Password or Code. This method was patented by Swivel Secure Limited in 2000. One implementation of this is PINsafe. Masking can be used in conjunction with "something else you know" or in combination with a token - thus negating the security risk associated with device theft or borrowing typically associated with token devices or SMS delivered passwords or codes.

Biometrics

Biometric authentication also satisfies the regulatory definition of true multi-factor authentication. Users may biometrically authenticate via their fingerprint, voiceprint, or iris scan using provided hardware and then enter a PIN or password in order to open the credential vault. However, while this type of authentication is suitable in limited applications, this solution may becomes unacceptably slow and comparatively expensive when a large number of users are involved. In addition, it is extremely vulnerable to a replay attack: once the biometric information is compromised, it may easily be replayed unless the reader is completely secure and guarded. Finally, there is great user resistance to biometric authentication. Users resist having their personal physical characteristics captured and recorded for authentication purposes.

For many biometric identifiers, the actual biometric information is rendered into string or mathematic information. The device scans the physical characteristic, extracts critical information, and then stores the result as a string of data. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. It may be appreciated that choice of how much data to match, and to what degree of accuracy, governs the accuracy/speed ratio of the biometric device. All biometric devices, therefore, do not provide unambiguous guarantees of identity, but rather probabilities, and all may provide false positive and negative outputs. If a biometric system is applied to a large number of users - perhaps all of the customers of a bank, the error rate may make the system impractical to use.

Background

Two-factor authentication is commonly found in electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. The number of factors is important as it implies a higher probability that the bearer of the identity evidence indeed holds that identity in another realm (ie: computer system vs real life). In reality there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion, than simply how many "factors" are used.

Two-factor authentication is often confused with other forms of authentication. Two factor authentication implies the use of two independent means of evidence to assert an entity, rather than two iterations of the same means. "Something one has", "something one knows", and "something one is" are useful simple summaries of three independent factors. In detail these factors are,

what the requestor individually knows as a secret, such as a password or a Personal Identification Number (PIN)

what the requesting owner uniquely has, such as a passport, physical token, or an ID-card

what the requesting bearer individually is, such as biometric data, like a fingerprint or the face geometry.

It is generally accepted that any independent two of these authentication methods (e.g. password + value from a physical token) is two-factor authentication. The accepting identity may use these facts (among other criteria) as a truth upon which to grant or deny the requestor's access to a sensitive data set or physical area. The requestor may be a person or computer system agent acting on behalf of a person.

Another independent means that is becoming more practiced in computer systems is "how one behaves", although it is more often used as a decision point for transactions or to de-authenticate an entity than to establish initial truth in identity.