In the past, and in many cases in the present, IT organizations have relied on a unique set of credentials, normally a user and a self-selected password, to get access to their systems. However, considering:
- The exponential growth of the volume of confidential data
- The greater exposure and ways of accessing this data
- The arrival of new technologies and devices
The Multi Factors
An authentication factor is a type of security credential used to verify a user’s identity. In other words, authentication factors are different mechanisms that we can use to verify a user’s identity. And there are quite a few of them.There are five authentication factor categories:
So, when we say that a system uses two-factor or multi-factor authentication, it means the system is using, at least, two or more of these factors. It means the user must provide evidence of at least two of these categories.
- Knowledge Factors: This factor (or mechanism) verifies the identity by providing a piece of information that only the user knows, for example, a password or a PIN number. Username or email address are also considered knowledge factors because they are information that only the user knows, however, the combination of username and password is not considered multi-factor authentication. Even though you’re providing two pieces of information, they are both the same type of factor (Single Factor Authentication).
- Possession Factors: This one requires the user to be in possession of a device or a specific piece of information. This mechanism is based on the fact that the user is providing information controlled by a device that is known to belong to that user. This could be a Secure Key device provided by your bank or a one-time code generated and sent to your phone. In this case, the bank knows that only you have that code. You need to have that secure key or phone to generate/receive that one-time code
- Inherence Factors: This factor is based on characteristics that are unique to the user such as fingerprints, voice, retina or facial recognition. Inherence factors are based on biometric data and are considered one of the most secure types of authentication, as it is very difficult to hack them. The caveat is that a system requiring fingerprints or facial recognition will only be accessible by devices that support the scanning of fingerprints or have a camera to do facial recognition.
- Location Factors: Another factor we can use to verify the users are who they claim to be is their location, and for that we can use geolocation services. This way, when a user is trying to log in the system we could first get the location and based on that grant access (or not) to the system. For example, some Governments don’t allow very confidential documents related to national security to be accessed outside the country or even the state/province. If a user tries to access any of these docs from an IP originated overseas the access will be denied. We can even get more specific. For example, we can use geolocation information to detect that there are simultaneous access to the system from different locations. This would mean that at least one of them is not who they claim to be.
- Behaviour Factors: This one seems a complex one, but everyone knows it. This factor is based on actions that the user does on the device. For example, many cell phones give you an interface in which you can create your own drawing pattern to unlock the device.
- Knowledge factor → something you know
- Possession factor → something you have
- Inherence factor → something you are
Lastly, don´t get confused - it’s not the same two-factor authentication as dual authentication. Dual authentication requires providing two forms of authentication of the same category. For example, requiring two passwords does not mean two-factor auth. Once again, Two-factor authentication requires two authentication factors of different categories.
Now, the next time you access a system that requires multi-factor authentication, think of it - what factors is it asking you to provide? something you know, something you have or something you are?