Amongst the most important criteria for an effective and robust multi-factor authentication process is a combination of different types of identity management factors. Authentication factors are traditionally split into three categories: knowledge, possession and inherence – and most multi-factor systems feature at least two.
This is commonly known as ‘something you know something you have, and something you are’.
But to effectively implement a multi-factor authentication process, it is important to understand the three different types of factors – ensuring your identity management system is bolstered by the presence of at least two different forms of authentication.
The most commonly used type of identity authentication; knowledge factors require the user to demonstrate knowledge of hidden information. Routinely used in single-layer authentication processes, knowledge factors can come in the form of passwords, passphrases, PINs or answers to secret questions.
These knowledge factors, when implemented alone, offer little security – this article from Wired demonstrates the fallibility of the password. Not only have computer programs been created to hack passwords – but also close friends, relatives and acquaintances may be in possession of current knowledge of the information required to answer secret questions or an individual’s commonly used passwords.
Possession factors are, in essence, a key to the security lock. Taking the form of connected tokens and disconnected tokens, possession factors are physical entities possessed by the authorised user to connect to the client computer or portal.
Connected tokens are items which physically connect to a computer in order to authenticate identity. Items such as card readers, wireless tags and USB tokens are common connected tokens used to serve as a possession factor during a multi-factor authentication process.
Disconnected tokens are items which do not directly connect to the client computer – instead requiring input from the individual attempting to sign in. Most typically, a disconnected token device will use a built-in screen to display authentication data which is then utilised by the user to sign in, where and when prompted.
Inherence factors are metrics intrinsically owned by the authorised individuals. These often take the form of biometrics – such as fingerprint readers, retina scanners or voice recognition. Designed to ensure unauthorised parties cannot pass the authentication process; these inherence factors are almost 100% unique to the authorised user (even, as described in the Telegraph here, there is still no proof fingerprints are completely unique).
Biometric authentication is growing more robust and commonplace in modern technology. Everyday smartphones and laptops now boast biometric authentication technology, and its use in multi-factor authentication will only continue to grow more sophisticated and more widely used.
An example of a commonly used multi-factor sign in system is implemented by online bank transactions. Many banks necessitate the input of customer numbers, passwords and PINs (all knowledge factors) as well as the use of a card reader (possession factor) to increase the security of the identity authentication process.