Two-factor Authentication
From Computing and Software Wiki
Line 37: | Line 37: | ||
2. Adams Kong, King-Hong Cheung, David Zhang, Mohamed Kamel and Jane YouAn. Analysis of BioHashing and Its Variants | 2. Adams Kong, King-Hong Cheung, David Zhang, Mohamed Kamel and Jane YouAn. Analysis of BioHashing and Its Variants | ||
3. Fabian Monrose and Aviel D. Rubin. Keystroke dynamics as a biometric for authentication (1999) | 3. Fabian Monrose and Aviel D. Rubin. Keystroke dynamics as a biometric for authentication (1999) | ||
- | 4. | + | 4. Anil Jain� in Hong� and Yatin Kulkarni |
+ | Department of Computer Science and EngineeringA Multimodal Biometric System Using Fingerprint, Face and Speech |
Revision as of 03:52, 16 April 2008
Two-factor authentication, also known as strong authentication, is a method which uses two different methods of authentication in order to verify a person's identity. It provides better verification then any single-factor authentication method on its own.
Contents |
Authentication
Authentication is a recent verification of a principal (source). A principal is someone connected to and participating on the network (source). There are three main methods of authenticating a principal, known as human authentication factors.
Human Authentication Factors
- What the user has
This can be something like a magnetic ID card or a drivers license that only that user owns.
- What the user knows
This is a piece of information that only the specific user being authenticated will know. For example, this can include their PIN number, a user name and password or a random number.
- What the user is
Consists mainly of biometrics, such as face recognition, retinal scanning, or fingerprint identification. In the (possibly near) future, a person's genetic sequence may be used as well.
Two-factor Authentication
The definition of two-factor authentication must be further clarified. Although it is also known as strong authentication, these are often not the same thing. This is because strong authentication does not always necessarily mean that two factors were used, just two different authentication requests.
When using two factors, it means that two out of the three of the above methods must be used. This does not mean that single method can be used more than one time (two factor pdf). For instance, when a system asks for 3 passwords, this does not qualify as two-factor authentication. However, this is technically strong authentication because it asks for 3 passwords.
Weak authentication is defined as cryptographic authentication between previously unknown parties without relying on trusted third parties (source)
Authentication Tools
The following is a list of some of the tools that are used today to provide authentication.
Magnetic Stripe Card
This is seen on bank cards, such as debit cards, on credit cards, membership cards, and many others. It can be used as a single or multi-factor authentication method, but is most commonly used as a two-factor method. For example, when using a debit card, one must input their PIN after swiping the card. It is slowly being replaced by smart cards for several reasons. First of all, it generally has a very limited storage capacity of about 1-4kb ISO/IEC 7810:2003 . It is also very easy to retrieve the information on these cards. If a card contained very sensitive information, it would be a great security risk. (source)
Smartcard
Drawbacks
In an online article (source) by (BLAH), he points out that two-factor authentication does not address current problems. He states that the multi-factor approach is still vulnerable to Trojan viruses and man-in-the-middle attacks.
In the article, it gives an example about how some banks are now using cell phones to authenticate their customers via text messages. This means that the user can login to their account from a computer using two factors instead of one, which is much harder to duplicate. However, in a man-in-the-middle attack, the man in the middle just has to wait for the user to input the information, intercept it, and then forward it along to the bank. The Trojan just waits for the person to log in and can hijack the session.
These two attacks are a more recent development, but are the most dangerous right now. So although the two-factor method is useful for many applications, other methods must be used in order to deal with all possible scenarios.
References
1. Ralf C. Hauser and LeeE. Stewart. Verification and Modelling of Authentication Protocols (1992) 2. Adams Kong, King-Hong Cheung, David Zhang, Mohamed Kamel and Jane YouAn. Analysis of BioHashing and Its Variants 3. Fabian Monrose and Aviel D. Rubin. Keystroke dynamics as a biometric for authentication (1999) 4. Anil Jain� in Hong� and Yatin Kulkarni Department of Computer Science and EngineeringA Multimodal Biometric System Using Fingerprint, Face and Speech