Multi-factor Authentication

Authentication is the process of proving your identity, or, more simply put, proving you are who you say you are. 

There are three ways for a user to prove they are who they say they when it comes to authentication: 

1. Something you know -- Usually this will be a password or possibly a PIN
2. Something you have -- A physical token, mobile phone, key-fob, smart-card, etc.
3. Something about you -- A unique identifier such as a fingerprint or retinal scan 

Some Jargon Surrounding MFA

• 2-factor – The use of any two factors available from the multifactor list is specifically called 2 Factor Authentication 
• Strong Authentication – Simply another way of describing 2-factor and multi-factor authentication.
• Token – A token is something that you have such as an ATM card, a key fob, a smartcard, a cell phone, piece of software, etc.
• Synchronous tokens have a clock or event trigger, which, the authenticating system keeps in sync with by having the same clock or event counter.  A user has the ability to generate a code by looking at their token at the time of authentication or by pressing a button on the token to generate a code to use. 
• Asynchronous tokens, or, Challenge/Response tokens do not require an internal clock or event counter. Instead the authenticating system issues a challenge, often a short set of numbers/letters or both that must be entered into the token in order to generate a response. Given any challenge, only one token could issue the expected response. 
• Token Code is the value or number generated by most token types to be used during the authentication.  The token code is generated using a token seed, a unique attribute or number specific to the token, and, an algorithm.   
• One Time Password (OTP) is a type of token code that gets generated by a token.  There is nothing particularly special about an OTP over a Token Code other than once received and used by the authenticating system, it cannot be re-used.   OTP’s are more secure just than a regular token code, however it can cause issues if the user needs to perform multiple authentications within a short period of time.

Authenticating systems maintain an association of tokens with each individual user. The authenticating system, knowing the unique seed installed on the token, ensures the token code generated could have only come from that particular token.

Smartcard is another form of token. Similar to a bank card or ATM card, a smartcard contains a special computer chip which stores additional information to that store on the magnetic strip. Smartcards are used pervasively in Europe as credit cards and they are making their way into the U.S.   

Bio-Metrics are devices such as fingerprint readers, retinal scanners, facial recognition solutions, voice recognition, and so on. 

Radio-frequency identification (RFID) is another token-type technology which allows the detection of a token. This works when in close proximity to the device which you are authenticating against. 

Out of band authentication is when authentication is being performed via a different channel to the one which you are accessing.  A common example of out of band authentication is a telephone or text-based verification system that sends a one-time access code to gain access to an application. Your phone essentially becomes the token in order to validate your identity. The point is that the authentication process could start on a computer network and require a code delivered over a mobile network to complete the process.