Two-factor authentication: Encyclopedia - Two-factor authentication

Two-factor authentication

Two-factor authentication (T-FA) is any authentication protocol that requires two independent ways to establish identity and privileges. This contrasts with traditional password authentication, which requires only one 'factor' (knowledge of a password) in order to gain access to a system.

Three standard kinds of authentication 'factors' are recognized:

• 'Something you know', such as a password or PIN

• 'Something you have', such as a credit card or hardware token

• 'Something you are', such as a fingerprint, a retinal pattern, or other biometrics.

Other, less common factors can include

• location-based authentication, such as only allowing a particular atm, charge, or credit card to be used at a specific merchant or at a specific bank branch
• size-based authorization, such as only allowing a specific transaction to be for a specific exact amount
• pre-authorized transactions, such as where a company uploads all of the check numbers and amounts written for each check to their bank, and the bank would then reject any check not of those numbers and amounts as fraudulent

Common implementations of two-factor authentication use 'something you know' as one of the two factors, and use either 'something you have' or 'something you are' as the other factor.

Using more than one factor of authentication is also called 'strong authentication'; using just one factor, for example just a password, is considered 'weak authentication'.

A common example of T-FA is a bank card (credit card, debit card); the card itself is the physical item, and the personal identification number (PIN) is the data that goes with it. See Chip and PIN for more information on this.

According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. However, Bruce Schneier argues T-FA is still vulnerable to trojan and man-in-the-middle attacks^[1].

Two-factor authentication - Examples

Some examples of two-factor authentication include:

• America Online's Passcode service, in which users get a small handheld six-digit numeric code key. To log onto an AOL account equipped with the service, users must enter the six-digits, which refresh on the device every 60 seconds, in addition to the user's standard password.
• Authentify service uses voice biometric verification over the telephone as the second authentication factor
• Booleansoft Digital Signature Solution, which uses USB tokens.
• Entrust's IdentityGuard, which uses alphanumeric characters printed on a credit card-sized grid.
• IBM/Lenovo's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.
• Identity Cues Two Factor, which performs two factor authentication without added steps for users. It checks that a user has previously used a one-time password sent out of band via email from the device from which he is currently logging in and which is in his possession.
• RSA's SecurID product. RSA is making this product available for Microsoft Windows users under the premise that it can help "ensure that valuable network resources are accessible only by authorized users" while "simultaneously delivering a simplified and consistent user login experience."
• VeriSign's Unified Authentication managed service, in which enterprises deploy USB tokens to all their users and VeriSign manages the infrastructure.
• WiKID Strong Authentication uses asymmetric encryption to securely deliver one-time passcodes upon receipt of a validly encrypted PIN from a software token running on an internet-connected device (cell phone/Blackberry/Palm/PocketPC or a Windows/Mac/LinuxPC).
• WiKID's open source version project page at Sourceforge.net

Two-factor authentication - Problems with T-FA

Deployment of T-FA tools such as smartcards and USB tokens appears to be increasing. More organizations are adding a layer of security to the desktop that requires users to physically possess a token, and have knowledge of a PIN or password in order to access company data. However, there are still some drawbacks to two-factor authentication - that are keeping the technology from widespread deployment - that are worth considering. Some consumers have difficulty keeping track of one more object in their life. Also many two factor systems are proprietary and protected by patents. The result is a substantial annual fee per person protected and a lack of interoperability.

Two-factor authentication - Tokens

Differences between the smartcard and USB token are diminishing. Both technologies include a microcontroller, an operating system, a security application and a secured storage area. There are some distinguishing differences, however.

Smartcards, such as those offered by RSA and ActivCard, are about the same size as a credit card. Some vendors, such as HID and RSA, are offering or developing smartcards that perform both the function of a proximity card and network authentication. You can authenticate into the building via proximity detection and then insert the card into your PC to produce your network logon credentials. The downside is that the smartcard is a bigger device, the card reader is an extra expense, the card is more likely to break due to its size, and it has less storage capacity than a USB token.

On the other hand, the USB token has a much smaller form factor and can easily be attached to a key ring. Thus, it is easier to carry. The USB reader is standard equipment on today's PCs, and the token tends to have a much larger storage capacity for logon credentials than smartcards. RSA, Aladdin, ActivCard, Authenex and Rainbow are a few of the vendors offering USB tokens.

Two-factor authentication - Biometrics

In both cases vendors are beginning to add biometric readers on the devices, thereby providing three-factor authentication. Users biometrically authenticate via their fingerprint to the smartcard or token and then enter a PIN or password in order to open the credential vault. However, whilst this type of authentication is suitable in limited application, when a large number of users are involved results in this solution being unacceptably slow and comparatively expensive.

Two-factor authentication - The challenges of authentication

So if smartcards or USB tokens provide all this security, why isn't everybody deploying them? It would seem to be a logical line of defense against intrusions and information loss.

Despite the security advantages of strong authentication its adoption is not yet widespread. There are several factors that contribute to this.

• The first challenge to face is the difficulty of deploying the client PC software required to make these systems work. Most vendors have created separate installation packages for network login, Web access credentials and VPN connection credentials. In other words, you may have four or five different software packages to push down to the client PC in order to make use of the token or smartcard. This translates to four or five packages on which you also have to perform version control and ensure don't conflict with your business applications. If access can be operated using web pages, it is possible to limit the overheads outlined above to a single application.

• The other challenge is the deployment of hardware tokens both in terms of cost and logistics. Hardware tokens may get damaged or lost and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed.

A new category of T-FA tools transforms the PC user's mobile phone into a token device using SMS messaging. While such a method simplifies deployment and does away with the need of proprietary hardware token devices, there are trade-offs such as the recurring cost of SMS messages sent.

Two-factor authentication - Password security

The next concern is the security of the T-FA tools and their systems. Several products store passwords in plain text for either the token/smartcard software or its associated management server. In either case this completely negates only one factor of the authentication since although an intruder could easily find the password/PIN used to authenticate to the device, they still need to be in possession of the relevant token or smartcard for this type of attack to work.

There is a further argument there is nothing to stop a user (or intruder) from manually providing logon credentials that are stored on a token/smartcard. For example to show all passwords stored in Internet Explorer, all an intruder has to do is to boot the Microsoft Windows operating system into safe mode (with network support) and to scan the hard drive (using certain freely available utilities). However, making it necessary for the physical token to be in place at all times during a session can negate this.

Two-factor authentication - Software security

Another concern when deploying smart cards, USB tokens, or other T-FA systems is the security of the software loaded on to users' computers. ^[2] A token may store a user's credentials securely, but the potential for breaking the system is then shifted to the software interface between the hardware token and the operating system, potentially rendering the added security of the T-FA system useless.

See also

• Authentication#Multifactor_authentication
• security token

Adapted from the Wikipedia article "Two-factor authentication", under the G.N U Free Docmentation License. Please also see http://en.wikipedia.org/wiki