Authentication is a process of confirming whether someone or something is actually who or what it claims to be. Demand for multifactor authentication in the United States has been galvanized by government regulations, such as the Federal Financial Institutions Examination Council directive that calls for MFA for online banking transactions.
Adding more than one authentication factor to the login or transaction typically improves security. Strong authentication, though not officially defined, is often used to describe an authentication process that requires two or more authentication factors of different kinds — knowledge, location, possession, etc. — from the user. Two-factor authentication (2FA) usually combines a knowledge factor with either a biometric factor or a possession factor, such as a security token or key.
In the past, MFA systems have relied on 2FA. Today, vendors use the term multifactor to label any authentication process requiring two or more identifying credentials. This means that two-factor, three-factor and four-factor authentication methods are all under the multifactor authentication umbrella.
These different factors can originate from separate categories of credentials. The user’s ability to produce relevant information provides proof of their identity that correlates to authentication to use and interact with a system. There are five commonly used authentication factors:
Knowledge factor: Colloquially called “something the user knows,” this is the most common form of credential used in authentication. Two examples of knowledge factors include the answer to a secret security question or the standard username and password combination. Although there are two pieces of information required, they are both considered pieces of knowledge and, therefore, in the same category of authentication factor.
Inherence factor: Sometimes defined as “something the user is,” this factor requires a user’s biometric data to accomplish authentication. Fingerprints, DNA, eye retinas and irises, voice patterns, facial patterns and hand measurements are all forms of biometric data inherent to the user.
Possession factor: Informally called “something the user has,” this is a category of authentication based on an item in the user’s possession. It most commonly refers to a security token or key, but increasingly, mobile phones are being categorized as possession factors as well. The phone can be used to accept a one-time password or PIN — in the form of a text message or email — or to run an authentication app.
Location factor: While less common and less specific, the location factor is used to supplement other authentication efforts. User location can be calculated by GPS-equipped devices or by checking network routes with varying accuracy.
Time factor: Though it would not qualify as sufficient user authentication on its own, a time factor can be used to supplement other identifying mechanisms. A time factor in conjunction with a location factor could detect an attacker attempting to authenticate in Europe when the user was last authenticated in California an hour prior, for example.