Multi-factor authentication (MFA) is an extended authentication, a method of controlling access to a computer, in which the user must enter more than one proof of authentication to gain access to information.
The categories of security access include:
- Knowledge. This is information that the subject, computer, already knows. For example, password or PIN.
- Possession. Access is granted via an external device, with identification credentials on it, which the user possess. For example, electronic or magnetic card, token, flash memory.
- Property. This is the means by which the receiving party can verify access based on real human characteristics. Eg. biometrics, natural unique differences: face, fingerprints, capillary patterns, DNA sequence.
The use of one or another characteristic in the system depends on the required reliability, security and cost of implementation. There are 3 authentication factors:
- The knowledge factor. A password can be a voice word, a text word, a combination for a lock, or a personal identification number (PIN). This mechanism can be implemented quite easily and has a low cost. But it has significant drawbacks: it’s often difficult to keep a password in secret, attackers are constantly inventing new ways to steal and hack them.
- The possession/ownership factor. This an authentication device, which the user possess. Here it is important to be unique when protecting information. One may use devices, such as plastic, smart cards. The user may have an external key and lock for the computer. For a hacker it becomes more difficult to get hold of such a device than to crack a password. Even if it is stolen, the user can immediately report the theft of the device.
- The property factor. This is a great form of identification that relies solely on the human characteristics, ie biometrics. This is the means of access based on the features of the user. It can be a photo, a fingerprint, a voice, or eye recognition, etc. From the point of view of the user, this method is the most simple: you do not need to either remember the password or carry an authentication device with you. However, the biometric system must be technically advanced enough to distinguish an authorized user from an intruder with similar biometric parameters.
Multifactor authentication drastically reduces the possibility of identity theft online. Password protection is not enough to lower the risks of fraud. However, many multi-factor authentication approaches remain vulnerable to “phishing”, “man in the middle”.
To choose a particular factor or method of authentication for the system, it is necessary, first of all, to define the required degree of security, the cost of building the system, and ensuring the mobility of the subject.
Many multifactor authentication products require the client software from the user. Some developers have created separate installation packages for logging in, web access credentials and VPN connections.
Multifactor authentication is not standardized. There are various forms of its implementation. Therefore, the problem lies in its interoperability. There are many processes and aspects that must be considered when selecting, developing, testing, implementing, and supporting a holistic security ID management system, including all relevant mechanisms and related technologies.