Tuesday, October 13, 2009

Three Factors of Authentication

A heavily tested concept in the CompTIA Security+ (SY0-201) exam is authentication. Authentication is used to verify a user’s identity by providing a previously known identifier. Basically, there are three ways to do this which are commonly referred to as the three factors of authentication.

  • Something you know. As an example, a user would know their username and password. This is considered the weakest form of authentication. One of the primary reasons is that users often use weak passwords or write their passwords down. 
  • Something you have. Smart cards and fobs are common examples. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When the user logs into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.
  • Something you are. Biometrics is used for this factor of authentication and is not only in movies. Biometrics is commonly used in many applications today. A common example is at theme parks like Disney World. It includes fingerprints, retinal scans, voice prints and even handwriting analysis. Biometrics is considered the strongest form of authentication, but also the most expensive.
Multifactor Authentication. Multifactor authentication combines two or three of the factors. Two common examples are where:
  1. Someone may have a smart card and know a personal identification number (PIN), or
  2. Have a fob and know their username and password.
Darril Gibson