Similarly, in our digital world, we as [banks, pharma companies, defense agencies, critical infrastructure owner/operators, etc.] are required to establish a level of trust, or confidence, of a computer user’s identity before permitting access or control of critical systems, data or other assets. The “factors” that we must consider are clearly defined by the Federal Financial Institution Examination Council in the US and further clarified by NIST, the National Institute of Standards and Technology. These factors were defined in such a way to form three distinctive groups characterized by their vulnerabilities and barriers they offer against would-be cybercriminals. These three factors are defined as “something the user knows”, “something the user has” and “something the user is”. Any “authentication factor” in use can fall under one of these categories, and broadly take the form of shared secrets, tokens or biometrics.
These definitions can be applied to authentication thousands of years ago, or today. For example, when Grok walked along the ridge of Big Mammoth cliff fourteen thousand years ago, Blok recognized Grok’s unique face and walk (his biometrics, defined as “a unique physical or behavioral characteristic”), knew it was Grok. We do this all the time today, when we hear someone’s voice on the phone, or do a biometric scan and comparison of their iris at an airport terminal. These various biometric characteristics vary in uniqueness and criminal’s ability to replicate based upon things such as feature scanning and matching sophistication and their position on the dynamic continuum, but we’ll save that for another blog post.
Similarly, tokens or “seals” with special carvings were carried during the Punic wars by centurions and messengers, coupled with secret passphrases (just long passwords), to prove that the message originated from friend, not foe, and designate authority. So when Scipio Africanus came from Hannibal to collect a bunch of bronze bars from the treasury to purchase extra horses and spears to fight the Carthaginians, the process was not dissimilar to using an ATM with a card and PIN code.
There are several common misconceptions being promulgated by media and perhaps surprisingly, by software companies claiming to offer “4-factor” and “5-factor” authentication solutions. Multifactor means just that: using more than one of any of the factors in your authentication process. 2-Factor Authentication (2FA) means token+biometric, biometric+secret or token+secret (like Scipio used). 3-Factor (3FA) means just that: all three factors are being used. Three secrets does not constitute 3FA. Two biometrics plus a smart card plus a browser extension does not constitute 4FA (sorry, nice try). The browser and smart card are both tokens, have similar strengths, and vulnerabilities. Two biometrics are great, but the same reasoning applies. What is actually being described there is 2-factor, 4-step (even though the browser extension is somewhat invisible). This is an important distinction, as adding more “steps” generally adds up to more work for the user, which typically means more chances to make an error and have to start over again (or just give up).
Another “4th factor” misstatement that we run across is that of geolocation being a "4th factor"; it is not really a 4th factor, it is a method of measuring a possession factor or token. I need to have that smartphone/fob/smart card/”other thing I need to carry around” for you to know my location. The FFIEC and NIST have these clearly defined.
We have also seen solutions with one-time passwords (OTP) being displayed on a smartphone, which needs to be read by the user, being touted as 3FA. They capture the reading of an OTP (eg. 123456), the user’s voice biometric and a device ID. Clever, but where are the three factors? A one-time password is not something you know, it is something you read from the phone. So, a hacker with your phone has your phone and the OTP: phone+phone+biometric=2 factors, 3 steps. In this scenario, you do not need to be present with the unique knowledge of the password (which is the challenge a cybercriminal would need to overcome). Again, the reason they are defined this way is that each category comprises a distinctive set of vulnerabilities, and challenges to a cybercriminal. The factors need to be mutually exclusive to improve security; it all about the fundamental distribution of risk.
When we began developing SensiPass, our objective was to employ all three factors in a secure way, without duplication, to build a simple solution to use, yet with the highest level of security: real 3-Factor Authentication. We also wanted to build this without using passwords or PIN codes, collectively called “alphanumerics”, in the process, as they constitute the most vulnerable part of any authentication solution (more on that in another blog). That is what we set out to develop, and that is what we did, elegantly. Real 3-Factor Authentication in 3 seconds, no passwords or PINs.
Mike Hill, CEO and Founder, SensiPass Ltd
email@example.com Ph +353 85 8334477