Multifactor Authentication FAQ
What is multi-factor authentication?
Multi-factor authentication requires users logging in to prove who they are in multiple (typically two) ways. Examples of proof include:
- You know something that no one else knows (like a password)
- You have something that no one else has (like your cell phone*)
- A unique physical characteristic (like your fingerprint)
*Yes, lots of people have cell phones but no-one else has a cell phone with your phone number
Authentication is only truly multi-factor when it mixes two different types of proof as part of signing-on.
What is two-factor authentication?
Two factor authentication is the most popular type of multi-factor authentication where the user is required to identify themselves with two sets of proof (vs. 3 or more). Often the terms two-factor and multi-factor authentication are used interchangeably. By far, the most popular flavor of two factor is something you know (like your password) combined with something you have (like your cell phone or smart-card). Using physical characteristics (biometrics) is much less common although the use steadily increasing.
What is single-factor authentication?
Single-factor authentication is just requiring one form of proof to log in. Overwhelmingly, the most popular form of single-factor authentication is requiring a userid and password to login. However, it is possible to use a different factor type as the single-factor (e.g. only require a fingerprint to log in)
Why is multi-factor better than single factor?
Passwords get stolen all the time, so do cell phones/id cards. But having someone steal both your password and your cell phone is much less likely.
But no one can steal my fingerprint/retina scan right?
Physical characteristics, called biometrics are great, they you can’t misplace your fingerprint or casually lend your retina to a friend. But there are also drawbacks, you can change your password or get a new smart card but you can never change your fingerprint. You make a conscious decision to enter your password into a system but you can’t control who gets your fingerprint. If you were to use a biometric scanner at a store to let’s say authorize a purchase, how do you know your scan information isn’t being maliciously recorded. Because of these reasons, biometrics are almost always combined with another factor. Before you get worried about your fingerprint letting you into your cell phone, remember that it is actually two factors, the bad guy would need to possess both your fingerprint and your phone to break in.
Do I need to implement multi-factor authentication to protect my systems?
Reasons that companies choose to implement multi-factor include:
- It required. Banking regulation backed by recent court rulings have pushed the financial industry to implement multi-factor. Also certain health-care industry regulations mandate multi-factor. The U.S. Government requires multi-factor (usually PIN + Smart card) for DOD related access.
- You’re afraid of exposure/liability. The term “commercially reasonable security” has become a legal term and so far, single-factor has never been deemed reasonable. If your site is breached and passwords are stolen/cracked, multi-factor greatly limits the damage.
- Your partners/customers are pushing you into it. Often auditors not only require a company to implement stronger security but also that company’s partners, suppliers, etc.
- You are worried about the increasing threat of system break in. We hear on the news that sites are hacked daily. Users tend to re-use passwords on multiple sites; even if your site is not hacked, the user’s password may have been stolen from another site. Multi-factor is a major barrier to this type of threat.
- Your site contains critical data and your (and your customers) sleep better knowing that logins are protected by an extra factor. Major vendors like Google, Microsoft, Facebook, and Salesforce have implemented two factor and the trend is accelerating.
What are the possible factors for something you know?
This is almost always a username/password, but can also be drawing a pattern, recognizing a face out of a line-up, answering a set of “secret questions”, or entering a PIN number.
What are the possible physical characteristics (something you are)?
Fingerprints are the runaway leader, but can also be retina scan, vein patterns, typing cadence pattern, facial recognition, or heart rhythms. This FAQ will not cover the merits and drawbacks of each type of biometric. Suffice to say they are all (except typing pattern) require some type of hardware device to scan the characteristic.
What are the possible factors for something you have?
There are a wide range of things, devices you can have, they include:
Tokens: The classic two factor device is called a hardware token, a small, tamper-resistant device, often attached to your key-chain that displays a seemingly random number that changes every 30-60 seconds. This number is called a Time-based one time password (TOTP). You prove that you are in possession of the token by typing in the number when prompted during the login process.
These hardware tokens are rapidly giving way to “soft tokens”, like hardware tokens but they run as an app on your smartphone or PC. Google Authenticator is an example of a soft token. Token are quick easy to use since you just look at the number and type it into the login screen when prompted. Some providers of soft-tokens even allow you to just hit a button on your phone saying you approve the login.
One Time Passwords: Instead of carrying a hardware token, or installing a soft-token software, many sites send you the one time password. Here’s how it works. When you first register on a web site, you provide a place that you, and only you can be reached such as your cell phone or home phone number. Then after you login to the web site, the web site sends a 4 to 8 digit number as a text message to your phone. The web login screen requires you type that number back. This proves you are in possession of your phone (something you have). For land-lines, the number can be read to you using Text to Speech (TTS). This method is not a quick as a hard or soft token since you have to wait to be texted or called with the one-time password; however, it does not require the end user to hold a token or install software. This make it very popular for sites like banks that deal with tens of thousands of uses.
Emailing One Time Passwords: This works just like the one-time password but instead of texting or calling, you are emailed the code. Technically this is not really two factors since the web site userid/password is something you know but then you retrieve the code using your email userid and password which is also something you know. For this reason, emailing one-time passwords is often used only as a backup when the user has lost/misplaced their phone. This is often combined with security questions like “what is your mother’s maiden name?” (also something you know) for some extra protection.
Digital Certificates: Digital certificates like X509 are special encryption keys that get installed on your computer (or smart phone) that prove that the login request must be coming from your computer and no-one else’s. So in this case they allow your computer to be the something you have. All operating systems and major browsers support digital certificate technology. This is a mature technology and is well respected but can be cumbersome to set up because obtaining a certificate for your PC is a multi-step process. It requires the generation of a request by the user, the signing of the request by an approver (Certificate Authority), the return of the signed request (public key) to the user and the installation of the key on the PC. One advantage of digital certificates is that they are usually encrypted via (personal identification number) PIN code so the user cannot use it without entering the code (something they know). Thus all by itself, certificates can fulfill two factors. This is why some government sites that use certificate authentication do not also require user ids and passwords.
Smart Cards: Smart cards are a variant of Digital Certificates, instead of placing the certificate on the PC, the certificate is installed in a microchip on a tamper-resistant, card (something you have) about the size of a credit card. When logging in, the user must then swipe the card through a smart card reader and enter their secret PIN code. This has the extra advantage of mobility in that the user can login from any machine that has a smart-card reader. The best example of this is the Common Access Card (CAC) used by the U.S. Department of Defense as their standard form of identification. The main drawback of smart cards is that it can only be used on devices that have a card reader.
How much does Multi-Factor Authentication cost?
The costs involved vary greatly depending on which options are chosen, how it is implemented and how many users are covered.
Hardware tokens typically cost around USD $20 and up. They often have sealed batteries so must be replaced every year or so. Smart cards start at USD $5 if purchased in bulk but can last indefinitely. Smart card readers can cost anywhere from USD $20 to a few hundred dollars.
Fingerprint readers can cost USD $50 to a few hundred dollars as well. The fingerprint itself is free.
Soft token applications can be free or may be bundled into a more comprehensive offering on a per-user per month cost.
One time password technology does not incur end-user hardware or software costs. But it usually incur per message costs for SMS texting and voice calls. The cost here will be hard to predict since it depends on usage. One way to greatly reduce or eliminate this cost is be emailing the one-time password to the users phone via their carriers text to SMS bridge.
The two factor service itself typically requires token management services, token revocation services, setup services and user management service. Vendors provide these services via on premise equipment and/or cloud based services. Many multi-factor vendors charge between a few dollars to tens of dollars per-user per month.
Perhaps the largest, hidden cost of multi factor authentication is the integration into existing applications. Applications that previously prompted for user name and password, must be modified to now also ask for a second factor. For standard internal systems like Microsoft Windows or Unix terminals, most multi-factor vendors provide the required software, but for custom applications, it is usually left up to the customer.