What is two factor authentication?

September 12, 2007 at 9:00 pm 9 comments

There is a reasonable amount of consensus on what the answer is. I was therefore surprised when an analyst from Burton Group was being less than clear. Surely it is to everyone’s advantage in the industry to be precise and consistent so that unnecessary confusion is not created.

Two factor authentication is when two of the three factors of authentication are used:

  • something you know
  • something you have
  • something you are

There is also reasonable consensus that “something you are” refers to biometrics which itself consists of both physiological (e.g. fingerprints) and behavioural (e.g. keystroke dynamics).

Mark Diodati, Identity and Privacy Strategies analyst at the Burton Group, in an article in eWeek called What Is Password Hardening and How Does It Work? tends to confuse things.

He describes password hardening as “you do something extra to make the password harder to guess or spoof without actually distributing a piece of hardware or software to the consumer.” Fair enough, sounds like a good idea.

His first example is using keystroke dynamics from BioPassword. Right, so that’s two factor authentication, i.e. password hardening is two factor authentication? He seems to imply that because a Flash plug-in is used, which means that there is no hardware or software distributed; therefore it is not two-factor authentication. That just confuses two different things.

He goes on to give a second example of password hardening using Bharosa, specifically “a bitmap image of a scrambled keyboard for them to type their password on using mouse clicks.” He describes this as “pseudo-multifactor “, whatever that may be.

I prefer to call a spade a spade and wouldn’t know what a pseudo-spade is if I saw one. An example of what this confusion does for the industry is the fact that FFIEC in the US had to issue supplemental guidance in August 2006 that clarified, “By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors.”

This definition has nothing to do with “distributing a piece of hardware or software to the consumer” that Mark seems to be advocating. As an example, a one-time-password texted to a person’s mobile phone is two factor authentication and does not involve any distribution of hardware or software.


Entry filed under: 2FA, authentication, biometrics, security.

Cyber attacks on NZ NZ: avoiding the folly of absolutes

9 Comments Add your own

  • 1. Eric Norman  |  September 13, 2007 at 12:31 pm

    You don’t think “texted to a person’s mobile phone” is “distribution of software”? How curious.

  • 2. codetechnology  |  September 13, 2007 at 12:58 pm

    I think the idea is that the user in this case already has the ‘software’ and hardware, hence no distribution is needed.

    The distribution really isn’t the point with two-factor — it is all about requiring the user to present two of the three factors to prove who they are. Fob, smart card, SMS message, etc. all accomplish the because of the ‘something you have’ factor, and, what is often missed, some implicit or explicit agreement that you a) won’t share it and b) will promptly report to the issuer if lost or stolen.


  • 3. Vikram  |  September 13, 2007 at 1:03 pm

    Texting or SMS is messaging, not “distribution of software”.

  • 4. Steven Bender  |  September 14, 2007 at 8:32 am

    Although I agree with you, I suggest it is somewhat confusing to lump behavioural biometrics into the *something you are* catagory. You are not born with a keystroke pattern, you develop one. These are a different type of biometric from static things like fingerprints, and work differently in several significant ways. We suggest using four catagories:

    something you know
    something you have
    something you are 
    something you do

    Typing a password is a “performance” much like doing a littel dance step. Keytroke recognition exploits the fact that these performances have unique and persistant traits that can be used to authenticate. Still, the user does have to perform.

    href=”http://www.imagicsoftware.com/”>Imagic Software is the maker of Trustable Passwords, which provides robust human authentication via typing patterns. We have many thousands of enterprise users in mission-critical environments, and for sure, Trustable Passwords is considered 2-factor authentication – by us, by our customers, by their auditors, and in the context of US laws like HIPAA. Trustable Passwords does uses ActiveX and Java, rather than Flash, for web authentication and has a variety of clients for enterprise network authentication.

    Even though I agree it can confuse some people, Mark does have a point by talking about password hardening in reference to a keystroke authentication system in that many people simply equate “biometric” with “fingerprint”. Until you get them off that they have a hard time understanding how keystroke recognition is different and the unique benefits that come with this technology. One other point, the article mentions vunerability to man-in-the-middle attacks. Trustable Passwords has protections against that, among other things, as a fundamental part of our design.

    We have a lot of detailed information on our website and invite you to visit.



  • 5. Nick Staib  |  September 23, 2007 at 5:15 am

    Steven’s comments about ‘Something you do’ being a fourth factor e.g. the performance of your typing are interesting. This suggests that Biometrics covers two factors not one – e.g. ‘something you are’ and ‘something you do’.

    However, before moving on to the fourth factor it is worth emphasizing that not all ‘two factor’ solutions are the same. Where the second factor is a one time code generating device – which requires that the code be input into a potentially compromised channel (typically the PC) – then there will remain some vulnerability to a ‘man-in-the-middle’ attack.

    If a mobile (cell) phone is used to receive or generate a password for inputting into the PC, this is surely not as good as authenticating via that second channel (the phone) alone.

    An example may make this point clearer. On the PC I try to make a large third-party payment. A challenge is sent to the mobile (which I expect), I input my ‘password’ into the phone and ‘confirm the payment’. The same could happen if I use my credit card to purchase something online – or over the phone itself.
    The point is to use a technology that is utterly familiar, involve customers in decisions around their payments, and use a security platform that works across different channels.

  • 6. Robert Swartz  |  March 13, 2008 at 11:15 am

    I’d like to see all types of biometric security become standard for not just businesses but home and private use too. Nobody can duplicate finger prints, or your retina’s so this is good strong high security which brings peace of mind. I’d love to be able to lock and unlock my car with a thumbprint, or a breath, even a retinal scan. Who knows maybe voice recognition will become part of this someday!

  • 7. Vikram  |  March 13, 2008 at 5:48 pm

    Thanks Robert.

    Not too sure about biometrics for online authentication. Still haven’t seen anything that is both economical and usable.

    Re unlocking your car with a thumb print, there was a story some time back about how a man’s Mercedes was stolen in Thailand. The car had a fingerprint lock and so the thief not only stole the car but also hacked off the person’s finger.

    Biometrics work in some situations but far too often they are not appropriate to the actual risk.

  • 8. Barry  |  May 25, 2008 at 4:00 pm

    I’ll tell you what Two Factor Authentication is! It’s the best type of security we currently have. Its detractors still like clinging to the fact that the technology was cracked some time ago. TFA has proven itself time and again to be much better than any other type of security out there and it has been adopted by many major corporations. One thing’s for sure, this type of security makes the office and the internet a safer place.

  • 9. Vikram  |  May 26, 2008 at 11:01 pm

    Thanks Barry.

    2FA does make the Internet safer, no doubt about that. But, the term covers many types of technologies- some good, some not so. I had earlier looked at 2FA in the context of the Trojan Silentbanker.

    Having said that, I don’t think authentication in itself is the sole answer for increased security, 2FA or not. For example, irrespective of authentication, back-end transaction checking is vital.

    One of the things that continues to impress me is the online banking guarantee that Westpac Bank gives in New Zealand WITHOUT requiring their customers to use 2FA.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: