Before we talk about multi-factor authentication, let’s first talk about authentication. Authentication is the process of proving your identity, or, more simply put, proving you are who you say you are.  We use simple authentication every day.  Whenever we log in with just a username and password, we are authenticating.   

Multi-factor authentication takes the authentication process one step further by requiring the user to prove who they say we are as part of the authentication process. There are three ways for a user to prove they are who they say they when it comes to authentication: 

  1. Something you know -- Usually this will be a password or possibly a PIN
  2. Something you have -- A physical token, mobile phone, key-fob, smart-card, etc.
  3. Something about you -- A unique identifier such as a fingerprint or retinal scan 

Multifactor-authentication involves the combining of at least two or more of these three core components and is used any time you need to assure the positive identification of the user. 

Most adults in the U.S. have probably used multifactor-authentication, quite possibly without even realizing it.  For example, ATM machines require a debit card (something you have) along with a Personal Identification Number (something you know). 

Multi-Factor 101 – Terminology

Now that we’ve given you a basic definition of multi-factor authentication and have provided a practical example of its use, let’s dive a bit more deeply into some of the terminology and jargon you will commonly see in when discussing authentication. 

  • 2-factor – The use of any two factors available from the multifactor list is specifically called 2 Factor Authentication 
  • Strong Authentication – Simply another way of describing 2-factor and multi-factor authentication.
  • Token – A token is something that you have such as an ATM card, a key fob, a smartcard, a cell phone, piece of software, etc.
    • Synchronous tokens have a clock or event trigger, which, the authenticating system keeps in sync with by having the same clock or event counter.  A user has the ability to generate a code by looking at their token at the time of authentication or by pressing a button on the token to generate a code to use. 
    • Asynchronous tokens, or, Challenge/Response tokens do not require an internal clock or event counter. Instead the authenticating system issues a challenge, often a short set of numbers/letters or both that must be entered into the token in order to generate a response. Given any challenge, only one token could issue the expected response. 
    • Token Code is the value or number generated by most token types to be used during the authentication.  The token code is generated using a token seed, a unique attribute or number specific to the token, and, an algorithm.   
    • One Time Password (OTP) is a type of token code that gets generated by a token.  There is nothing particularly special about an OTP over a Token Code other than once received and used by the authenticating system, it cannot be re-used.   OTP’s are more secure just than a regular token code, however it can cause issues if the user needs to perform multiple authentications within a short period of time.

Authenticating systems maintain an association of tokens with each individual user. The authenticating system, knowing the unique seed installed on the token, ensures the token code generated could have only come from that particular token.

Smartcard is another form of token. Similar to a bank card or ATM card, a smartcard contains a special computer chip which stores additional information to that store on the magnetic strip. Smartcards are used pervasively in Europe as credit cards and they are making their way into the U.S.   

Bio-Metrics are devices such as fingerprint readers, retinal scanners, facial recognition solutions, voice recognition, and so on. 

Radio-frequency identification (RFID) is another token-type technology which allows the detection of a token. This works when in close proximity to the device which you are authenticating against. 

Out of band authentication is when authentication is being performed via a different channel to the one which you are accessing.  A common example of out of band authentication is a telephone or text-based verification system that sends a one-time access code to gain access to an application. Your phone essentially becomes the token in order to validate your identity. The point is that the authentication process could start on a computer network and require a code delivered over a mobile network to complete the process. 

Using a mobile phone as a token is made unique by the phone number that is linked to the individual user. The out of band function is the process of using two separate networks or lines of communication during the authentication process.  The main benefit here is to stop man in the middle attacks. 

The cost for implementing a multi-factor solution will vary greatly depending on the type being implemented. The least expensive element is the “something you know,” however, the “something you have,” “something about you,” and detecting/reading that “something about you” is what drives the cost up. 

The most widely used form of multi-factor authentication is still token-based multi-factor due to its low cost and increase in security. The reason tokens are so widely adopted is not only due to cost but also ease of use, reliability, and minimal impact on how long the authentication process takes. 

Why is multi-factor so important?  It goes a long way in stopping credential sharing and hacking. This will all be explained in part two on multi-factor authentication.