An authentication factor is a category of credential used for identity verification. For MFA, each additional factor is intended to increase the assurance that an entity involved in some kind of communication or requesting access to a system is who — or what — it says it is. The use of multiple forms of authentication can help make a hacker’s job more difficult.
The three most common categories, or authentication factors, are often described as something you know, or the knowledge factor; something you have, or the possession factor; and something you are, or the inherence factor. MFA works by combining two or more factors from these categories.
Knowledge-based authentication typically requires the user to answer a personal security question. Knowledge factor technologies generally include passwords, four-digit personal identification numbers (PINs) and one-time passwords (OTPs). Typical user scenarios include the following:
- swiping a debit card and entering a PIN at the grocery checkout;
- downloading a virtual private network client with a valid digital certificate and logging in to the VPN before gaining access to a network; and
- providing information, such as mother’s maiden name or previous address, to gain system access.
Users must have something specific in their possession in order to log in, such as a badge, token, key fob or phone subscriber identity module (SIM) card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app.
- Security tokens are small hardware devices that store a user’s personal information and are used to authenticate that person’s identity electronically. The device may be a smart card, an embedded chip in an object, such as a Universal Serial Bus (USB) drive, or a wireless tag.
- A software-based security token application generates a single-use login PIN. Soft tokens are often used for mobile multifactor authentication, in which the device itself — such as a smartphone — provides the possession factor authentication.
Typical possession factor user scenarios include the following:
- mobile authentication, where users receive a code via their smartphone to gain or grant access — variations include text messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards and smart cards with stored authentication data; An example would be the Duo Security App or Microsoft Authenticator.
- and attaching a USB hardware token to a desktop that generates an OTP and using it to log in to a VPN client. An example would be a YubiKey hardware token.
Any biological traits the user has that are confirmed for login. Inherence factor technologies include the following Biometric verification methods retina or iris scan, fingerprint scanners, digital signature scanners, and facial recognition.
Biometric device components include a reader, a database and software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data. Inherence factor scenarios include the following:
- using a fingerprint or facial recognition to access a smartphone;
- providing a digital signature at a retail checkout; and
- identifying a criminal using earlobe geometry.
User location is often suggested as a fourth factor for authentication. Again, the ubiquity of smartphones can help ease the authentication burden: Users typically carry their phones, and all basic smartphones have GPS tracking, providing credible confirmation of the login location.
Time-based authentication is also used to prove a person’s identity by detecting presence at a specific time of day and granting access to a certain system or location. For example, bank customers cannot physically use their ATM card in the U.S. and then in Russia 15 minutes later. These types of logical locks can be used to help prevent many cases of online bank fraud.