Security is never absolute. Technology evolves on both ends, making not only security systems but also hacker skills better. Authentication – the process of confirming an identity – has been around for ages, but it now requires multiple layers to assure system security. When it comes to authentication, what’s the difference between the number of factors, and how many is reasonable?
One-factor authentication (1FA) is about what you know: most commonly a password or a PIN code. As the name reveals, the method, also known as single-factor verification (SFA), is a traditional and basic one for securing access to a given system or account, only requiring one factor.
Two-factor authentication (2FA) is about what you know plus what you have: a token. The second factor is usually some kind of physical possession, for instance the ATM card you swipe before entering your four digit code. However, it can be of biometric character too, if considering fingerprints or voice as something you possess.
Three-factor authentication (3FA) is about what you know plus what you have plus what you are: a physically unique body. Biometrics is then more commonly exemplified as the third factor, containing the two subcategories of physiological (e.g. iris recognition) and behavioural (e.g. voice) biometrics.
Four-factor authentication (4FA) is about what you know plus what you have plus what you are plus what? The method is in dispute, and not as orthodox as the former three. The fourth factor is most commonly referred to as location (where you are), but could also be a matter of time, or in some peoples opinion even a performance, an exhibition, or even other people.
To exemplify, the fourth factor could be GPS based, work schedules and certain waiting times, or allegedly the performance of writing a signature, personality traits or chains of trust (though these can be argued to be credentials belonging to former levels presented, and therefore not count as an independent fourth factor). Since there are several categories to “choose from”, we’re looking at a potential future of five-factor authentication (5FA).
So what is multi-factor authentication (MFA)? An inter or intra category combination of factors?
It’s common to think of MFA as a combination of two or more factors from different authentication levels – however, a combination is (as I’ve just pinned down) just what’s required for leveling up to the next, which would make MFA nothing more than an umbrella for the 2-, 3-, and 4FA categories. “PCI Guru” instead separates the terms by their definitions:
“Nowhere do they mention using two passwords or passphrases, two fingerprints or two retina scans. Such use of two of the same factors is considered multi-factor authentication.”
This is further explained in the PCI DSS requirement 8.3, stating that two-factor authentication or higher does not include the use of one factor twice. Whether MFA means multiple factors within the same authentication category or not, what’s agreed on is the very specific requirement of independent categories of credentials.
Sometimes a few strong factors can be more secure than several weak ones, but in general, more layers of course equals higher security. Are more layers most reasonable?
Two-factor authentication is becoming standard, with big players like Google and Microsoft paving the way. The con of adding a second factor to your security system is however the struggle. Except for having to remember a password or similar, users are forced to carry a token. Or is this a myth?
As I’ve argued before, tokens are turning mobile and as smartphones is something we all carry around anyway, two-factor authentication becomes tokenless. Plus, even though there’s a slight agitation of having a (physical) second factor, it’s sometimes ridiculously obvious why you need it. Just imagine the vulnerability if accessing a bank account only required one factor (i.e. only swiping a card, or entering a pin).
As breaches are increasing, more organisations are adding a third layer of authentication to their online services. Every connected industry is a targeted one, and for some more than others, the struggle of adding a third layer won’t be nearly as bad as getting user accounts hijacked.
Besides increased security, there are many other possible upsides of adding a third, biometrical factor: Biometrics are unique and impossible to duplicate, completely tokenless and persistent through time. Mobile payments was considered the hottest space for identity management last year, and there are some incredible innovations to discover. However, the downsides seem greater, including risks of false rejection, false acceptance, physical damage and system hacks.
But it’s really only a matter of time: the market hasn’t yet matured, using biometrics is expensive and there are still technological hurdles to overcome. For instance, both Apple and Samsung are having security troubles with their fingerprint features, and the error rate on biometric devices is around 1%, which can (despite the small number) still add up to a problematic amount of misidentified people.
Even though there are some promising solutions out there making us approach a post-password era, further investigations in the future of authentication is not the aim of this article. Therefore I’ll leave four-factor authentication with the following statement: when evaluating levels of authentication today, the same principle goes across all, and that principle is that security compromises convenience, and reversed.
We’re way beyond one-factor authentication, and relying on our user base to make up their own safe passwords, but there isn’t really a best-practice that covers every company, organisation, government and industry in the world, as they’re getting connected. Instead, every entity needs to figure out their own need of protection. The more power given to mobile devices, the more responsibility they get, and that calls for a dynamic approach towards securing them.
As I stated in the beginning, security is never absolute. How many factors is reasonable depends on the scale of your business and the value of your data. But as a great guide, remember this:
It’s never a problem until it’s a problem.
We’ve got a new tutorial for you! Our resident petrol head Christian Jensen has been on a steep learning curve, hanging out at racetracks and coming up with a really cool way to use SMS to manage signups and… read more
Since 1957, when a five-year-old boy with perfect pitch first phreaked AT&T switches and invented phreaking, phones have been a target for different types of fraud that costs customers and phone companies billions of dollars. However, if you’re using the… read more