Two-factor Authentication

Computer authentication is all about making sure that people are who they say they are. Authentication is usually the first step that you have to perform before being allowed to work on a computer.

For most of us today authentication is synonymous with entering a username and password. Passwords are one form of authentication and when you perform only one such form you are employing single factor authentication.

Two factor authentication is becoming increasingly important. Passwords are much too easy to “steal” by guessing them, phishing for them or simply looking under mouse pads.

Two factor authentication requires, naturally, two mechanisms for authentication. A password might be used but only accompanied by something else. What other authentication “factors” are there?

Wikipedia has a good taxonomy for authentication techniques. It breaks up authentication into three categories:

  • Something a person knows
  • Something a person has
  • Something a person is or does
  • A password is an example of something a person knows. A smartcard is an example of something the person has. A fingerprint is an example of something a person is or does.

    In case you’re thinking that a person has a fingerprint, you may be right. The difference between has and is may not always be easy to ascertain. To some degree, it’s a matter of convenience and intended purpose. The intended distinction between the two categories is that while you can lose or give away something you have you can’t do the same with something you are or do. This is mostly true although, if you saw Minority Report or, more recently, the made-for-TV version of The Andromeda Strain you’ve seen gruesome fictional depictions of “stealing” eyeballs and fingerprints.

    Two factor authentication requires that two authentication techniques be employed. Ideally each technique would use a different mechanism. Perhaps something you know (a password) and something you have (an RSA or Verisign OTP device). Some companies, however, have started to make use of two factor authentication based on two things the user knows. You’ve probably seen banking Web sites, for example, that ask you for a password as well as your mother’s maiden name or the name of your pet.

    Being in the security space, my company has spent a lot of time looking into the issue of two factor authentication. Smartcards seem like a great idea but we are disillusioned by inconsistent implementation of standards and the need for a plethora of drivers for different devices and different cards. OTP (one time password) devices don’t require any drivers but the companies that dominate the market (RSA and Verisign) are not very partner friendly.

    Employing biometrics seems like a good alternative to relying on what the user has. IBM/Lenovo laptops have been shipping fingerprint readers for years. Microsoft makes an inexpensive fingerprint reader, as well.

    Maybe, soon, giving your computer “the finger” will take on a completely different meaning.