May 27, 2009
What is Multifactor Authentication?
Multifactor authentication can best be described as a string of authentication methods
from two or more of the three categories of factors. Considered a form of strong authentication,
Multifactor authentication is used to create a higher form of assurance on protected
How is it different from Two Factor Authentication?
not. Two factor authentication is a form of Multifactor Authentication. The term Multifactor
Authentication was created as a means to describe strong authentication methods that
might not neccessarily fit the more narrow and traditional definition of Two Factor
Authentication. Where as Two Factor authentication is “something you know, and
something you have”, multfiactor authentication can just as easily be “something
you have, something you are” or “something you know, and something you are”
How is it different from “Strong Authentication”?
Strong authentication can simply be multiple
According to the FFIEC,
“By definition true multifactor authentication requires the use of solutions from
two or more of the three categories of factors. Using multiple solutions from the
same category … would not constitute multifactor authentication.”
The three categories of factors from which two or more are required to be true multifactor
- Human Factor: Something the user is (biometric characteristics, voice, fingerprint,
- Personal Factor: Something the user knows ( password, PIN);
- Techincal Factor: Something the user has (OTP Token, ATM card, smart card)
Types of Multifactor: Biometric and Pin
“Something you know, something you are”
Something you have – your finger, voice or your eye.
Something you are – Pin.
- When to use it: Datacenters doors.
- When not to use it: Anything consumer facing (Online banking,
- very cool
- secure as can be – just make sure you tell tech support if you lose an eye.
- low learning curve – scan, pin, repeat.
- Considered non-repudiatable – almost 100%. (There is always the chance for the old
but goody: “It wasnt me, it was my twin” excuse)=
- Expensive capital costs.
- Expensive maintenance costs. Tech support is incremently more difficult. Supporting
remote users becomes an interesting problem….
- Interoperability. For some reason alot of bio metric solutions are just now catching
up to the whole integration bandwagon. While integration support is ramping up, interopility
with things like LDAP should not be assumed.
Types of Multifactor: Smart Card and Pin
“Somethign you know, something you have”
Take a smart card reader and a pin and what do you have? Multifactor authentication
for less than 13 bucks (11.25 for the reader, 1.75 for the card).
Something you have – smart card, credit card, usb token
Something you know – Pin or password.
- When to use it: Consumer applications, building entry, credit
- When not to use it: Emergency exits.
- Cheap to start, cheap to scale.
- Most operating systems have native support for smart cards.
- Good for consumer facing applications.
- Can be reproduced. (Track data anyone.. the first skimming scam happened 24 seconds
after the first credit card was issued).
- Higher learning curve
Types of Multifactor: Profile Questions and Browser
Something you have, something you know
Think 20 questions. If the resource needs to be protected at a higher assurance level
than just a simple password, then a process by which multiple profile questions could
be asked. Once correctly answered, and out of band procedure is done to validate the
“browser” or “workstation”. A security validation cookie is set and from then on,
the browser acts as the second factor.
Something you have – out of band validated browser, workstation, email
Something you know – Pin or password.
When to use it: Consumer portals, online bankcing
When not to use it: VPNS
- Extremely cost effective. This is how you raise the assurance level of 200,000 users
across the country.
- Low learning curve. Answer some questions, and you are off. Change computers? Do it
- Is it really multifactor? I think the argument can be made the “browser” is something
you have but only if you have an out of band procedure to assign the browser to the
user (SMS, email, letter). Having said that, be prepared for a geek battle.
- Not really non-repudiate-able. The “what if my wife used my computer” scenario is
always cited as proof of its illegitimacy.