This article provides an overview of multifactor authentication, the different types of authentication factors which exists and how factors are combined to strengthen the security of your systems.
A authentication factor is a piece of evidence that helps a system determine whether you are who you claim to be. When taking about factors, we are usually referring to the type of evidence provided. There are three types of evidence:
- Something you know (Knowledge)
- Something you have (Possession)
Something you are (Inherence)
Your password is a something you know factor. The security of your password depends on how well you can keep it a secret and how hard it is to guess for other people. Security keys and code generator dongles are examples of something you have factors. The security depends on the fact that you carry a physical item around which only you have access to. Something you are factors are more directly associated to the user. The security is based on measuring biometric properties such as fingerprint, face or iris scanning.
Passwords may be stolen, guessed or reused. Security keys can be stolen or lost. Fingerprint scanners can be fooled. Since factors have different strengths and weaknesses, it is useful to combine them to provide stronger overall security. This can be used to improve password security by requiring verification of an extra factor (two-factor verification), or it can replace passwords with two other factors (password-less login).
Two-step verification combines username and password authentication with the proof of a second factor.
The second factor can be something you have (using a physical security key, a code generator or a mobile phone). Combining two factors improves the security of the authentication, at the cost of reducing the convenience for the user signing in. To reduce inconvenience, it is common to allow users to 'remember' the verification of the second factor using a browser cookie token. This way, users are not forced to always use their second factor, while an attacker cannot get access by having access to the password alone.
Remembering passwords and typing them correctly is hard and inconvenient for users. The goal of password-less login is to combine two authentication factors, but remove the need for a traditional username and password login step. Password-less login combines a something you have factor with a something you are factor in a single, unified authentication ceremony.
Examples of technologies which support password-less logins are fingerprint or face recognition using Windows Hello and Touch ID fingerprint scanning on MacOS. Some USB Security Keys also have built-in support for fingerprint scanning. Password-less is emerging as an attractive alternative to two-step verification, mainly because it improves security while at the same time being more convenient to use.
- Multifactor registration
- Logging in with extra verification
- Multifactor policy configuration
- Password-less login
- WebSudo reverification