No doubt you will have heard of ‘2-factor authentication’. It’s often something your UK bank would say they’re introducing in order to beef up the security of online banking. What does 2-factor authentication mean? This article provides a brief introduction, but first of all we must start at the beginning with….
1-factor authentication utilises a single method to authenticate you – i.e. to prove to someone else (e.g your bank) that you are who you say you are.
Usually this takes the form of ‘something you know’, and that something is usually your password (which may or may not be coupled to a username – but increasingly is coupled to your email address so you only have one difficult thing to remember…).
1-factor authentication is the simplest form of authentication. It’s the least secure of all authentication types mentioned in this article because, for someone to impersonate you, they only need to compromise one piece of information. However, it’s the easiest to administer – for example, we’ve all forgotten passwords online and resetting them is relatively simple.
2-factor authentication uses two pieces of information to authenticate a person, and it’s usual for these two pieces to not both be ‘something you know’ (like having two passwords).
Banks increasingly use two-factor authentication for some critical online tasks which are prone to being attacked by fraudsters, such as setting up new recipients from your bank account. Many banks now require you to a) login using your password (using something you know) and b) will use an automated system to call your mobile phone, which you’ll use to enter some digits (taking advantage of something you have – your phone).
This system is more secure, as it’s possible that someone knows your password, and it’s possible that you lose your phone (or it’s stolen), but it’s very unlikely both will happen at the same time and a fraudster will be on the receiving end of both authentication methods.
Quite often applications use a key fob to generate a number which is used along with a password to authenticate a user – the key fob is used instead of the mobile phone as ‘something you have’. Banks used to commonly use key fobs – indeed I have a drawer full of obsolete ones at home – but these are being phased out as mobile phones become ubiquitous. If you’ve ever used Citrix with a key fob to gain access to a corporate network, you’ve been using two-factor authentication.
Whilst it’s more secure to use two-factor authentication, it is more hassle and time consuming compared to one-factor authentication. Each authentication session takes longer to setup than a simple login with a password, and someone has to manage the ‘something you have’ part.
3-factor authentication steps it up to another level. This method authenticates you usually using something you know, something you have and something you are.
‘Something you are’ is very often some kind of biometric, like a fingerprint, iris image or a voice print. All of the Mission Impossible films use ‘something you are’ authentication at various points in their stories… Next time you see one, keep an eye out for which authentication methods are being used and in what combination.
Although 3-factor authentication provides maximum security, it is costly to implement and maintain, and time-consuming for the user. It also has issues relating to privacy which need to be considered. Therefore, only applications which really require this high level of security normally implement 3-factor authentication.
Mixing it up
Systems which need to authenticate don’t have to use the something you know / something you have / something you are in the same combinations. For example, biometric passports implement 2-factor authentication but using something you have (your passport) and something you are (the biometric that’s listed on your passport) – ‘something you know’ isn’t required (you don’t have to enter a password at passport control).
Single- or Multi-factor authentication provide varying levels of identity security, but increased levels of security usually need to be traded off against cost of implementation, the time taken for each authentication to occur, and privacy issues.
Neil Tubman, Terzo Digital, April 2017