by Chris Bonatti, IECA of Casper, WY
Part 2 What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) and Two Factor Authentication (2FA) are terms that are often used interchangeably, and are often taken for granted as providing strong authentication. As with many technologies, the devil is in the details, and you have to make smart choices to ensure that you get the strength you’re looking for, and don’t inadvertently introduce new vulnerabilities. MFA is the technique of combining several independent authentication “factors”, each of which independently satisfies a different means of proving a user’s identity. We recognize five fundamental factors that can be used, some examples of which include the following:
- Something You Know (knowledge): Information only known to the user, such as a password, passphrase, PIN, etc.
- Something You Have (possession): Some physical object in the possession of the user that is not easily duplicated, such as a security token, a bank card, a key, etc.
- Something You Are (inherence): Physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
- Something You Do (behavior): Observable actions such as gestures and touches that indicate your reactions to subtle stimuli.
- Somewhere You Are (location): An indication of your location such as your network address, or a GPS signal to more precisely identify the location.
Each independent factor included in an MFA authentication makes that authentication stronger. No one combination of factors is necessarily better than another, and the optimum solution is usually one that is tailored to a specific environment. 2FA is essentially a subset of MFA involving exactly two factors. The combination of two or more of the same factor (e.g., two passwords, or a password and a security question) isn’t really 2FA or MFA. Combining more of the same factor in this manner is referred to as multi-single-factor authentication. While this is slightly stronger than having only a single instance of that factor, it is far weaker than multiple different factors.