Two-factor Authentication
From Computing and Software Wiki
| (16 intermediate revisions not shown) | |||
| Line 1: | Line 1: | ||
| - | + | '''Two-factor authentication''', also known as '''strong authentication''', is a method which uses two different methods of authentication in order to verify a person's identity.  It provides better verification then any single-factor authentication method on its own.    | |
| - | Two-factor authentication, also known as strong authentication, is a method which uses two different methods of authentication in order to verify a person's identity.  It provides better verification then any single-factor authentication method on its own.    | + | |
| ==Authentication== | ==Authentication== | ||
| - | Authentication is a recent verification of a principal  | + | Authentication is a recent verification of a principal [1].  A principal is someone connected to and participating on the network [1].  There are three main methods of authenticating a principal, known as '''human authentication factors''' [6].    | 
| - | ===What the user has | + | ===Human Authentication Factors===  | 
| + | *What the user has | ||
| This can be something like a magnetic ID card or a drivers license that only that user owns.    | This can be something like a magnetic ID card or a drivers license that only that user owns.    | ||
| - | + | *What the user knows | |
| - | + | ||
| This is a piece of information that only the specific user being authenticated will know.  For example, this can include their PIN number, a user name and password or a random number.    | This is a piece of information that only the specific user being authenticated will know.  For example, this can include their PIN number, a user name and password or a random number.    | ||
| + | *What the user is | ||
| + | Consists mainly of biometrics, such as face recognition, retinal scanning, or fingerprint identification.  In the (possibly near) future, a person's genetic sequence may be used as well.   | ||
| + | |||
| + | ===Two-factor Authentication=== | ||
| + | The definition of two-factor authentication must be further clarified.  Although it is also known as strong authentication, these are often not the same thing. This is because strong authentication does not always necessarily mean that two ''factors'' were used, just two different authentication requests.   | ||
| + | |||
| + | When using two factors, it means that two out of the three of the above methods must be used.  This does ''not'' mean that single method can be used more than one time [6].  For instance, when a system asks for 3 passwords, this does ''not'' qualify as two-factor authentication.  However, this ''is'' technically strong authentication because it asks for 3 passwords.   | ||
| + | |||
| + | '''Weak authentication''' is defined as cryptographic authentication between previously unknown parties without relying on trusted third parties [6].   | ||
| + | |||
| + | ==Authentication Tools== | ||
| + | The following is a list of some of the tools that are used today to provide authentication.   | ||
| + | ===Magnetic Stripe Card=== | ||
| + | This is seen on bank cards, such as debit cards, on credit cards, membership cards, and many others.  It can be used as a single or multi-factor authentication method, but is most commonly used as a two-factor method.  For example, when using a debit card, one must input their PIN after swiping the card.  It is slowly being replaced by smart cards for several reasons.  First of all, it generally has a very limited storage capacity of about 1-4 kilobits [http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=31432&ICS1=35&ICS2=240&ICS3=15 ISO/IEC 7810:2003] .  It is also very easy to retrieve the information on these cards.  If a card contained very sensitive information, it would be a great security risk.   | ||
| + | |||
| + | ===Smartcard=== | ||
| + | This form of authentication is based on the idea of magnetic stripe cards.  However, it uses a more secure method and has a larger storage capacity [5].  Each card can contain a microprocessor or simply a secure form of memory [6].  There are many types of smartcards, differing in security level or amount of memory it is capable of holding [6].  For example, there are the type most often referred to as smartcard contains a simplistic microprocessor that contains a small amount of memory.  The microprocessor allows restriction of writing and reading via software and hardware [6].  There is also a memory card that stores 20 kilobytes of data and has simple read and write protection [6].   There is also an optical storage card.  This card can only be written to once and cannot be erased [6].   | ||
| + | |||
| + | In summary, the main benefits compared to magnetic stripe cards are the increased storage of memory and improved security.   | ||
| + | |||
| + | ===Biometrics=== | ||
| + | Biometrics uses a person's biological traits in order to ensure their identity [4].  It provides a unique identification method for each person that every person will always have.  However, there have not been any completely accurate systems been creates as of yet [2].  Using multiple biometrics, such as face, speech and fingerprint, can improve accuracy, but is still not completely accurate [4].   | ||
| + | |||
| + | An approach known as '''biohashing''' has been shown to produce a near 100% accuracy [2].  It uses biometrics along with a pseudo-randomized number that the person will know.  It uses the number in mathematical formulae along with the biometric data to authorize the person in question [2].   | ||
| + | |||
| + | ===One-time password token=== | ||
| + | These tokens generate pseudo-random numbers that match up with the system that is trying to authenticate the person.  The person in question will have a device that outputs these numbers.  It gets rid of the problem of stolen passwords as long as the device itself is not stolen.   | ||
| + | |||
| + | ==Drawbacks== | ||
| + | In an online article by Bruce Schneier, he points out that two-factor authentication does not address current problems.  He states that the multi-factor approach is still vulnerable to Trojan viruses and man-in-the-middle attacks.   | ||
| + | |||
| + | In the article, it gives an example about how some banks are now using cell phones to authenticate their customers via text messages.  This means that the user can login to their account from a computer using two factors instead of one, which is much harder to duplicate.  However, in a man-in-the-middle attack, the man in the middle just has to wait for the user to input the information, intercept it, and then forward it along to the bank.  The Trojan just waits for the person to log in and can hijack the session.   | ||
| + | |||
| + | These two attacks are a more recent development, but are the most dangerous right now.  So although the two-factor method is useful for many applications, other methods must be used in order to deal with all possible scenarios. | ||
| + | |||
| + | ==References== | ||
| + | 1.  Ralf C. Hauser and LeeE. Stewart. Verification and Modelling of Authentication Protocols (1992) | ||
| + | |||
| + | 2.  Adams Kong, King-Hong Cheung, David Zhang, Mohamed Kamel and Jane YouAn. Analysis of BioHashing and Its Variants | ||
| + | |||
| + | 3.  Fabian Monrose and Aviel D. Rubin. Keystroke dynamics as a biometric for authentication (1999) | ||
| + | |||
| + | 4.  Anil Jain, Lin Hong and Yatin Kulkarni. A Multimodal Biometric System Using Fingerprint, Face and Speech | ||
| + | |||
| + | 5.  Steve Petri.  An Introduction to Smart Cards | ||
| + | |||
| + | 6.  Doug Graham.  It’s All About Authentication (2003) | ||
| + | |||
| + | 7.  Mark Arend. New Card Fraud Weapons Emerge (1993) | ||
| - | + | 8.  Bruce Schneier. Schneier on Security. http://www.schneier.com/blog/archives/2005/03/the_failure_of.html | |
| - | + | ||
| - | + | 9.  Jari Arkko and Pekka Nikander.  How to Authenticate Unknown Principals without Trusted Parties (2002) | |
| - | + | ||
| - | + | ||
Current revision as of 05:09, 16 April 2008
Two-factor authentication, also known as strong authentication, is a method which uses two different methods of authentication in order to verify a person's identity. It provides better verification then any single-factor authentication method on its own.
| Contents | 
Authentication
Authentication is a recent verification of a principal [1]. A principal is someone connected to and participating on the network [1]. There are three main methods of authenticating a principal, known as human authentication factors [6].
Human Authentication Factors
- What the user has
This can be something like a magnetic ID card or a drivers license that only that user owns.
- What the user knows
This is a piece of information that only the specific user being authenticated will know. For example, this can include their PIN number, a user name and password or a random number.
- What the user is
Consists mainly of biometrics, such as face recognition, retinal scanning, or fingerprint identification. In the (possibly near) future, a person's genetic sequence may be used as well.
Two-factor Authentication
The definition of two-factor authentication must be further clarified. Although it is also known as strong authentication, these are often not the same thing. This is because strong authentication does not always necessarily mean that two factors were used, just two different authentication requests.
When using two factors, it means that two out of the three of the above methods must be used. This does not mean that single method can be used more than one time [6]. For instance, when a system asks for 3 passwords, this does not qualify as two-factor authentication. However, this is technically strong authentication because it asks for 3 passwords.
Weak authentication is defined as cryptographic authentication between previously unknown parties without relying on trusted third parties [6].
Authentication Tools
The following is a list of some of the tools that are used today to provide authentication.
Magnetic Stripe Card
This is seen on bank cards, such as debit cards, on credit cards, membership cards, and many others. It can be used as a single or multi-factor authentication method, but is most commonly used as a two-factor method. For example, when using a debit card, one must input their PIN after swiping the card. It is slowly being replaced by smart cards for several reasons. First of all, it generally has a very limited storage capacity of about 1-4 kilobits ISO/IEC 7810:2003 . It is also very easy to retrieve the information on these cards. If a card contained very sensitive information, it would be a great security risk.
Smartcard
This form of authentication is based on the idea of magnetic stripe cards. However, it uses a more secure method and has a larger storage capacity [5]. Each card can contain a microprocessor or simply a secure form of memory [6]. There are many types of smartcards, differing in security level or amount of memory it is capable of holding [6]. For example, there are the type most often referred to as smartcard contains a simplistic microprocessor that contains a small amount of memory. The microprocessor allows restriction of writing and reading via software and hardware [6]. There is also a memory card that stores 20 kilobytes of data and has simple read and write protection [6]. There is also an optical storage card. This card can only be written to once and cannot be erased [6].
In summary, the main benefits compared to magnetic stripe cards are the increased storage of memory and improved security.
Biometrics
Biometrics uses a person's biological traits in order to ensure their identity [4]. It provides a unique identification method for each person that every person will always have. However, there have not been any completely accurate systems been creates as of yet [2]. Using multiple biometrics, such as face, speech and fingerprint, can improve accuracy, but is still not completely accurate [4].
An approach known as biohashing has been shown to produce a near 100% accuracy [2]. It uses biometrics along with a pseudo-randomized number that the person will know. It uses the number in mathematical formulae along with the biometric data to authorize the person in question [2].
One-time password token
These tokens generate pseudo-random numbers that match up with the system that is trying to authenticate the person. The person in question will have a device that outputs these numbers. It gets rid of the problem of stolen passwords as long as the device itself is not stolen.
Drawbacks
In an online article by Bruce Schneier, he points out that two-factor authentication does not address current problems. He states that the multi-factor approach is still vulnerable to Trojan viruses and man-in-the-middle attacks.
In the article, it gives an example about how some banks are now using cell phones to authenticate their customers via text messages. This means that the user can login to their account from a computer using two factors instead of one, which is much harder to duplicate. However, in a man-in-the-middle attack, the man in the middle just has to wait for the user to input the information, intercept it, and then forward it along to the bank. The Trojan just waits for the person to log in and can hijack the session.
These two attacks are a more recent development, but are the most dangerous right now. So although the two-factor method is useful for many applications, other methods must be used in order to deal with all possible scenarios.
References
1. Ralf C. Hauser and LeeE. Stewart. Verification and Modelling of Authentication Protocols (1992)
2. Adams Kong, King-Hong Cheung, David Zhang, Mohamed Kamel and Jane YouAn. Analysis of BioHashing and Its Variants
3. Fabian Monrose and Aviel D. Rubin. Keystroke dynamics as a biometric for authentication (1999)
4. Anil Jain, Lin Hong and Yatin Kulkarni. A Multimodal Biometric System Using Fingerprint, Face and Speech
5. Steve Petri. An Introduction to Smart Cards
6. Doug Graham. It’s All About Authentication (2003)
7. Mark Arend. New Card Fraud Weapons Emerge (1993)
8. Bruce Schneier. Schneier on Security. http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
9. Jari Arkko and Pekka Nikander. How to Authenticate Unknown Principals without Trusted Parties (2002)
