Two-Factor Authentication

Man typing on computer with mobile phone in his hand

Multi-factor authentication (MFA) is an authentication process in which a device user is granted access only after successfully presenting two or more pieces of evidence (factors) in authentication.

Two-factor authentication (2FA), also known as two-step (2-step) verification, is a type of multi-factor authentication.  

Two-factor authentication is a method of confirming a user’s claimed identity by utilizing something they know (password) and a second factor, something they “have” or something they “are”. Something they “have” may be the sending of a code to their phone in order to login to a desktop. Something they “are” entails using biometric information, like a thumbprint, to prove authentication.

An excellent example of two-factor authentication is signing into your apple account on a new device, such as a laptop. Completing the task of setting up a new device requires something known and something owned.  The correct login information associated with the Apple ID is something the user knows.

The second factor is authenticating something known to be owned by the user. Owned authentication can be achieved through pairing that information with the correct six-digit code, sent to an existing device known to be in your possession, such as a phone.

Authentication Factors

Underlying the use of multiple authentication factors is the recognition that unauthorized players may be able to meet simple access requirements. Scout Technology Guides have recommended the use of LastPass, a free tool, to quickly and securely safeguard your passwords.

In a multi-factor authentication attempt, if at least one of the components is missing or provided incorrectly, the user’s identity is not established at the confidence level required. In cases where the user is not confidently identified, access to the asset remains blocked.

Multi-factor verification schemes may include the following forms of authentication:

  • Possession Factors: Some physical object in possession of the user, such as a USB stick with a secret token, or a device.
  • Knowledge Factors: Some secret is known to the user, such as a password or PIN.
  • Inherent Factors: Biometrics encoding some physical characteristic of the user, such as a fingerprint, iris or voice recognition.

Knowledge Factors

Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret to authenticate.

A password is a secret word or string of characters used in user authentication. Many multi-factor authentication techniques rely on passwords as one factor of authentication.

Traditionally, passwords are expected to be memorized. However, with the increasing number of accounts requiring passwords individuals have, many people resort to writing down passwords or using the same password across multiple accounts. Both of these practices can jeopardize security. Many “secret” questions such as “What is your mother’s maiden name?” are poor examples of a knowledge factor because they are easy to research.

Possession factors

Possession factors are something the user, and only the user, has. In the most basic form possession factors have been used for centuries: most directly, in the form of a key to a lock. The basic principle is that the key embodies a secret which is shared between the lock and the key, and the same principle underlies possession factor authentication in computer systems. A security token is an example of a possession factor.

Disconnected tokens have no connections to the computer. They typically use a built-in screen to display the generated authentication data, which is manually typed in by the user. Connected tokens are devices that are physically connected to the computer, and transmit data automatically. A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services.

Inherent factors

Inherent factors are associated with the user and are usually biometric methods including fingerprint, face, voice, or iris recognition. Increasingly, behavioural biometrics such as keystroke dynamics can also be used, like typing speed and the pattern in keypress intervals.

Emerging Forms Of Multi-Factor Authentication

A fourth factor is emerging in multifactor authentication involving the physical location of the user. Location factors take into account the place of the individual seeking authentication. Location verification is accomplished by connecting to a specific computing network or using GPS signals. Location factors allow a user to move between locations, such as the office and home and dynamically receive the same level of network access in each.

The Two Main Limitations of Two-Factor Authentication

Blind Approval

Some experts argue that the trend for two factors is leading to blind approval.

Matt, CEO and Founder of Scout, notes “Two-factor authentication is as annoying as it is time-consuming. It requires finding the code and manually typing, unless you’ve setup the special authenticator apps on your mobile device if you have it within reach.  Thank goodness some of the more sophisticated smart watches push the authentication request right to your wrist, this is the easiest! We are starting to see a risk where so many authentication requests are coming at us, that a common mistake is for people to grant the authentication mistakenly.”

You Are Not Immune To Phishing Attacks

Scout recently published a blog post on Phishing Attacks, and even with multi-factor authentication, users can still be tricked. Sophisticated cybercriminals can construct phishing schemes and websites so advanced that they can work around two-factor authentication.

Matt notes, “Even with the emerging practice of multi-factor authentication, companies are increasingly turning to experts, like Scout, to help them navigate the world of technology and information security.”

Reach out to Matt today to learn more.