tags:

views:

407

answers:

4
Q: 

What is two-factor authentication?

I've been given the task of finding and evaluating some authentication libraries for use in one of our products and one of the selling features being pushed by some solutions is "two-factor authentication".

What is this method and how does it work? Are there better methods (such as three-factor authentication, I guess)?

+1  A: 

Its when two (or more) different factors are used in conjunction to authenticate someone.

For example, a bank might ask you for your account number and pin number. And sometimes, like when you call call centers, they might ask you for additional factors such as name, dob, phone number, address etc.

The theory is that the more factors you can authenticate against, the higher the probability that you are dealing with the correct person. How well it works and how much more secure it is is debatable in my opinion...

Factors include:

  • Human factors are inherently bound to the individual, for example biometrics ("Something you are").
  • Personal factors are otherwise mentally or physically allocated to the individual as for example learned code numbers. ("Something you know")
  • Technical factors are bound to physical means as for example a pass, an ID card or a token. ("Something you have")

See: http://en.wikipedia.org/wiki/Two-factor_authentication

mezoid  2009-02-18 02:40:01
Your examples in para. 2 are not of different factors - they are examples of one factor. Your factors from "Factors Include" right indicate what multiple factors might be - something you have plus something you know is 2 factor; 2 times something you know is not.
Software Monkey  2009-02-18 02:55:22
So your actual VISA card and PIN are two different factors, yes? But your fingerprints and retinal image and tattoo on your buttocks are all one factor (something you have).
paxdiablo  2009-02-18 02:58:27
Correct. A lot of banks use "1.5 factor authentication" - a password (something you know) and a security question (something you also know) but try to pretend it is really 2 factor.
1800 INFORMATION  2009-02-18 10:40:44
@PAX: Yes; if someone can obtain your thumb, then they can presumably get you head/eye and butt too. That is, they can shoot you and drag your still-warm corpse to the biometric scanner... but then they can't make you speak your passphrase.
Software Monkey  2009-02-18 20:21:33
+7  A: 

Two factor authentication is using two factors to authenticate a person (or sometimes a process).

This might be a PIN number (something you know) and a debit card (something you have).

There are many authentication factors that might be used:

Authentication factors apply for a special procedure of authenticating a person as an individual with definitively granted access rights. There are different factor types for authentication:

  • Human factors are inherently bound to the individual, for example biometrics ("Something you are").
  • Personal factors are otherwise mentally or physically allocated to the individual as for example learned code numbers. ("Something you know")
  • Technical factors are bound to physical means as for example a pass, an ID card or a token. ("Something you have")

From wikipedia.

Which factors you choose depend on the type of access required, security needed, cost, and especially what people are willing to put up with.

People get irritated with strong passwords that change every 4 months, so you might find employees happier with laptops that have fingerprint scanners and they can use a weak password and a fingerprint - two factor authentication may be easier for users.

But others might not like the privacy implications of biometric security and would rather carry around a keychain device that produces numbers which are typed in along with a password.

High security situations may require all three factors - something you have such as a card, something you are such as retinal imaging, and something you know such as a password.

But the costs and irritation go up as you add more levels.

Adam Davis  2009-02-18 02:44:54
Ha ha, fat chance of getting a laser anywhere near my retina. But it's a good explanation. I wonder whether urinalysis would be accepted by the workforce (and shudder at the device that does it).
paxdiablo  2009-02-18 02:55:10
I'm curious. Why are not technical and human the same? Surely your fingerprints/retina are still something you have? I'm reminded of the movie Demolition Man where Wesley Snipes plucked out a guys eye to use later on the retinal scanner (akin to stealing your VISA card).
paxdiablo  2009-02-18 03:00:36
Human factors cannot be changed (ideally). So once your fingerprint is compromised (copied, for instance) then you can never use it again - someone else has a copy of it. It's not like you can just get a new visa card. Once all your fingers are copied, you can't use fingerprints as a factor...
Adam Davis  2009-02-18 09:53:11
+1  A: 

"Are there better methods (such as three-factor authentication, I guess)?"

The issue isn't simply more factors. It's a better mix of factors.

Passwords are easily lost and compromised. People write them on stickies and put them on the bottom of their keyboards.

Other non-password factors are part of the mix. For browser-based apps, you can use IP address, and other PC-specific material that floats in as part of the HTTP headers. For desktop apps (like VPN connections) independent key generators or plug-in USB readers might provide additional factors.

S.Lott  2009-02-18 02:46:38
A: 

I'll take this from a completely different tact. All these answers are correct, of course, but I want to broaden the topic a bit - to think about where & when to apply two-factor authentication. There are three areas where strong authentication can be used: session authentication, mutual authentication and transaction authentication. Session auth is what most people think about when they think about 2FA. But imagine if people only had to use an OTP when making a banking transaction. The attack surface goes from "when logged in" to "When making a transaction", which is much smaller. if the transaction authentication uses a public key system to sign the tx, then all the better.

Mutual authentication is some system that attempts to thwart MiTM attacks. You can think of the little pictures some banking sites use, but they are totally ineffectual because there is no crypto involved. here's how we do mutual auth, by validating the site's ssl cert for the user: http://www.wikidsystems.com/learn-more/technology/mutual_authentication/. There are other ways to do the same thing, of course.

nowen  2010-07-22 15:51:23

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication