Multi-factor

authentication

Multi-factor authentication (MFA;

encompassing two-factor
authentication, or 2FA, along with similar
terms) is an electronic authentication
method in which a user is granted access
to a website or application only after
successfully presenting two or more
pieces of evidence (or factors) to an
authentication mechanism: knowledge
(something only the user knows),
possession (something only the user
has), and inherence (something only the
user is). MFA protects user data—which
may include personal identification or
financial assets—from being accessed by
an unauthorized third party that may
have been able to discover, for example,
a single password.

A third-party authenticator (TPA) app

enables two-factor authentication,
usually by showing a randomly generated
and frequently changing code to use for
authentication.

Factors
Authentication takes place when
someone tries to log into a computer
resource (such as a network, device, or
application). The resource requires the
user to supply the identity by which the
user is known to the resource, along with
evidence of the authenticity of the user's
claim to that identity. Simple
authentication requires only one such
piece of evidence (factor), typically a
password. For additional security, the
resource may require more than one
factor—multi-factor authentication, or
two-factor authentication in cases where
exactly two pieces of evidence are to be
supplied.[1]
The use of multiple authentication
factors to prove one's identity is based
on the premise that an unauthorized
actor is unlikely to be able to supply the
factors required for access. If, in an
authentication attempt, at least one of
the components is missing or supplied
incorrectly, the user's identity is not
established with sufficient certainty and
access to the asset (e.g., a building, or
data) being protected by multi-factor
authentication then remains blocked. The
authentication factors of a multi-factor
authentication scheme may include:[2]

Something the user has: Any physical

object in the possession of the user,
 such as a security token (USB stick), a
bank card, a key, etc.
Something the user knows: Certain
knowledge only known to the user,
such as a password, PIN, etc.
Something the user is: Some physical
characteristic of the user (biometrics),
such as a fingerprint, eye iris, voice,
typing speed, pattern in key press
intervals, etc.

An example of two-factor authentication

is the withdrawing of money from an
ATM; only the correct combination of a
bank card (something the user
possesses) and a PIN (something the
user knows) allows the transaction to be
carried out. Two other examples are to
supplement a user-controlled password
with a one-time password (OTP) or code
generated or received by an
authenticator (e.g. a security token or
smartphone) that only the user
possesses.[3]

A third-party authenticator app enables

two-factor authentication in a different
way, usually by showing a randomly
generated and constantly refreshing
code which the user can use, rather than
sending an SMS or using another
method. A big benefit of these apps is
that they usually continue to work even
without an internet connection. Examples
of third-party authenticator apps include
Google Authenticator, Authy and
Microsoft Authenticator; some password
managers such as LastPass offer the
service as well.[4]

Knowledge

Knowledge factors are a form of

authentication. In this form, the user is
required to prove knowledge of a secret
in order to authenticate.

A password is a secret word or string of

characters that is used for user
authentication. This is the most
commonly used mechanism of
authentication.[2] Many multi-factor
authentication techniques rely on
passwords as one factor of
authentication. Variations include both
longer ones formed from multiple words
(a passphrase) and the shorter, purely
numeric, PIN commonly used for ATM
access. Traditionally, passwords are
expected to be memorized.

Possession

RSA SecurID token, an example of a disconnected token generator

Possession factors ("something only the
user has") have been used for
authentication for centuries, in the form
of a key to a lock. The basic principle is
that the key embodies a secret that is
shared between the lock and the key, and
the same principle underlies possession
factor authentication in computer
systems. A security token is an example
of a possession factor.

Disconnected tokens have no

connections to the client computer. They
typically use a built-in screen to display
the generated authentication data, which
is manually typed in by the user. This
type of token mostly uses a OTP that can
only be used for that specific session.[5]

A USB security token

Connected tokens are devices that are

physically connected to the computer to
be used. Those devices transmit data
automatically.[6] There are a number of
different types, including USB tokens,
smart cards and wireless tags.[6]
Increasingly, FIDO2 capable tokens,
supported by the FIDO Alliance and the
World Wide Web Consortium (W3C), have
become popular with mainstream
browser support beginning in 2015.

A software token (a.k.a. soft token) is a

type of two-factor authentication security
device that may be used to authorize the
use of computer services. Software
tokens are stored on a general-purpose
electronic device such as a desktop
computer, laptop, PDA, or mobile phone
and can be duplicated. (Contrast
hardware tokens, where the credentials
are stored on a dedicated hardware
device and therefore cannot be
duplicated, absent physical invasion of
the device.) A soft token may not be a
device the user interacts with. Typically
an X.509v3 certificate is loaded onto the
device and stored securely to serve this
purpose.

Multi-factor authentication also has

application in physical security systems.
These physical security systems are
known and commonly referred to as
access control. Multi-factor
authentication is typically deployed in
access control systems through the use,
firstly, of a physical possession (such as
a fob, keycard, or QR-code displayed on a
device) which acts as the identification
credential, and secondly, a validation of
one's identity such as facial biometrics or
retinal scan. This form of multi-factor
authentication is commonly referred to
as facial verification or facial
authentication.

Inherent

These are factors associated with the

user, and are usually biometric methods,
including fingerprint, face,[7] voice, or iris
recognition. Behavioral biometrics such
as keystroke dynamics can also be used.

Location

Increasingly, a fourth factor is coming

into play involving the physical location
of the user. While hard wired to the
corporate network, a user could be
allowed to login using only a pin code.
Whereas if the user was off the network,
entering a code from a soft token as well
could be required. This could be seen as
an acceptable standard where access
into the office is controlled.

Systems for network admission control

work in similar ways where the level of
network access can be contingent on the
specific network a device is connected
to, such as Wi-Fi vs wired connectivity.
This also allows a user to move between
offices and dynamically receive the same
level of network access in each.
Mobile phone-based
authentication
Two factor authentication over text
message was developed as early as
1996, when AT&T described a system for
authorizing transactions based on an
exchange of codes over two-way
pagers.[8][9]

Many multi-factor authentication vendors

offer mobile phone-based authentication.
Some methods include push-based
authentication, QR code-based
authentication, one-time password
authentication (event-based and time-
based), and SMS-based verification.
SMS-based verification suffers from
some security concerns. Phones can be
cloned, apps can run on several phones
and cell-phone maintenance personnel
can read SMS texts. Not least, cell
phones can be compromised in general,
meaning the phone is no longer
something only the user has.

The major drawback of authentication

including something the user possesses
is that the user must carry around the
physical token (the USB stick, the bank
card, the key or similar), practically at all
times. Loss and theft are risks. Many
organizations forbid carrying USB and
electronic devices in or out of premises
owing to malware and data theft risks,
and most important machines do not
have USB ports for the same reason.
Physical tokens usually do not scale,
typically requiring a new token for each
new account and system. Procuring and
subsequently replacing tokens of this
kind involves costs. In addition, there are
inherent conflicts and unavoidable trade-
offs between usability and security.[10]

Two-step authentication involving mobile

phones and smartphones provides an
alternative to dedicated physical devices.
To authenticate, people can use their
personal access codes to the device (i.e.
something that only the individual user
knows) plus a one-time-valid, dynamic
passcode, typically consisting of 4 to 6
digits. The passcode can be sent to their
mobile device[1] by SMS or can be
generated by a one-time passcode-
generator app. In both cases, the
advantage of using a mobile phone is
that there is no need for an additional
dedicated token, as users tend to carry
their mobile devices around at all times.

Notwithstanding the popularity of SMS

verification, security advocates have
publicly criticized SMS verification,[11]
and in July 2016, a United States NIST
draft guideline proposed deprecating it
as a form of authentication.[12] A year
later NIST reinstated SMS verification as
a valid authentication channel in the
finalized guideline.[13]

In 2016 and 2017 respectively, both

Google and Apple started offering user
two-step authentication with push
notifications[2] as an alternative
method.[14][15]

Security of mobile-delivered security

tokens fully depends on the mobile
operator's operational security and can
be easily breached by wiretapping or SIM
cloning by national security agencies.[16]

Advantages:
 No additional tokens are necessary
because it uses mobile devices that
are (usually) carried all the time.
As they are constantly changed,
dynamically generated passcodes are
safer to use than fixed (static) log-in
information.
Depending on the solution, passcodes
that have been used are automatically
replaced in order to ensure that a valid
code is always available,
transmission/reception problems do
not, therefore, prevent logins.

Disadvantages:
Users may still be susceptible to
phishing attacks. An attacker can send
a text message that links to a spoofed
website that looks identical to the
actual website. The attacker can then
get the authentication code, user name
and password.[17]
A mobile phone is not always available
—it can be lost, stolen, have a dead
battery, or otherwise not work.
Despite their growing popularity, some
users may not even own a mobile
device, and take umbrage at being
required to own one as a condition of
using some service on their home PC.
Mobile phone reception is not always
available—large areas, particularly
outside of towns, lack coverage.
SIM cloning gives hackers access to
mobile phone connections. Social-
engineering attacks against mobile-
operator companies have resulted in
the handing over of duplicate SIM
cards to criminals.[18]
Text messages to mobile phones using
SMS are insecure and can be
intercepted by IMSI-catchers. Thus
third parties can steal and use the
token.[19]
Account recovery typically bypasses
mobile-phone two-factor
 authentication.[1]
Modern smartphones are used both
for receiving email and SMS. So if the
phone is lost or stolen and is not
protected by a password or biometric,
all accounts for which the email is the
key can be hacked as the phone can
receive the second factor.
Mobile carriers may charge the user
for messaging fees.

Legislation and regulation

The Payment Card Industry (PCI) Data
Security Standard, requirement 8.3,
requires the use of MFA for all remote
network access that originates from
outside the network to a Card Data
Environment (CDE).[20] Beginning with
PCI-DSS version 3.2, the use of MFA is
required for all administrative access to
the CDE, even if the user is within a
trusted network.

European Union

The second Payment Services Directive

requires "strong customer
authentication" on most electronic
payments in the European Economic
Area since September 14, 2019.[21]

India
In India, the Reserve Bank of India
mandated two-factor authentication for
all online transactions made using a
debit or credit card using either a
password or a one-time password sent
over SMS. This was temporarily
withdrawn in 2016 for transactions up to
₹2,000 in the wake of the November
2016 banknote demonetisation. Vendors
such as Uber have mandated by the bank
to amend their payment processing
systems in compliance with this two-
factor authentication rollout.[22][23][24]

United States
Details for authentication for federal
employees and contractors in the U.S.
are defined in Homeland Security
Presidential Directive 12 (HSPD-12).[25]

Existing authentication methodologies

involve the explained three types of basic
"factors". Authentication methods that
depend on more than one factor are
more difficult to compromise than single-
factor methods.[26]

IT regulatory standards for access to

federal government systems require the
use of multi-factor authentication to
access sensitive IT resources, for
example when logging on to network
devices to perform administrative
tasks[27] and when accessing any
computer using a privileged login.[28]

NIST Special Publication 800-63-3

discusses various forms of two-factor
authentication and provides guidance on
using them in business processes
requiring different levels of assurance.[29]

In 2005, the United States' Federal

Financial Institutions Examination
Council issued guidance for financial
institutions recommending financial
institutions conduct risk-based
assessments, evaluate customer
awareness programs, and develop
security measures to reliably
authenticate customers remotely
accessing online financial services,
officially recommending the use of
authentication methods that depend on
more than one factor (specifically, what a
user knows, has, and is) to determine the
user's identity.[30] In response to the
publication, numerous authentication
vendors began improperly promoting
challenge-questions, secret images, and
other knowledge-based methods as
"multi-factor" authentication. Due to the
resulting confusion and widespread
adoption of such methods, on August 15,
2006, the FFIEC published supplemental
guidelines—which state that by definition,
a "true" multi-factor authentication
system must use distinct instances of
the three factors of authentication it had
defined, and not just use multiple
instances of a single factor.[31]

Security
According to proponents, multi-factor
authentication could drastically reduce
the incidence of online identity theft and
other online fraud, because the victim's
password would no longer be enough to
give a thief permanent access to their
information. However, many multi-factor
authentication approaches remain
vulnerable to phishing,[32] man-in-the-
browser, and man-in-the-middle
attacks.[33] Two-factor authentication in
web applications are especially
susceptible to phishing attacks,
particularly in SMS and e-mails, and, as a
response, many experts advise users not
to share their verification codes with
anyone,[34] and many web application
providers will place an advisory in an e-
mail or SMS containing a code.[35]

Multi-factor authentication may be

ineffective[36] against modern threats,
like ATM skimming, phishing, and
malware.[37]
In May 2017, O2 Telefónica, a German
mobile service provider, confirmed that
cybercriminals had exploited SS7
vulnerabilities to bypass SMS based two-
step authentication to do unauthorized
withdrawals from users' bank accounts.
The criminals first infected the account
holder's computers in an attempt to steal
their bank account credentials and phone
numbers. Then the attackers purchased
access to a fake telecom provider and
set up a redirect for the victim's phone
number to a handset controlled by them.
Finally, the attackers logged into victims'
online bank accounts and requested for
the money on the accounts to be
withdrawn to accounts owned by the
criminals. SMS passcodes were routed
to phone numbers controlled by the
attackers and the criminals transferred
the money out.[38]

Implementation
Many multi-factor authentication
products require users to deploy client
software to make multi-factor
authentication systems work. Some
vendors have created separate
installation packages for network login,
Web access credentials, and VPN
connection credentials. For such
products, there may be four or five
different software packages to push
down to the client PC in order to make
use of the token or smart card. This
translates to four or five packages on
which version control has to be
performed, and four or five packages to
check for conflicts with business
applications. If access can be operated
using web pages, it is possible to limit
the overheads outlined above to a single
application. With other multi-factor
authentication technology such as
hardware token products, no software
must be installed by end-users.

There are drawbacks to multi-factor

authentication that are keeping many
approaches from becoming widespread.
Some users have difficulty keeping track
of a hardware token or USB plug. Many
users do not have the technical skills
needed to install a client-side software
certificate by themselves. Generally,
multi-factor solutions require additional
investment for implementation and costs
for maintenance. Most hardware token-
based systems are proprietary, and some
vendors charge an annual fee per user.
Deployment of hardware tokens is
logistically challenging. Hardware tokens
may get damaged or lost, and issuance
of tokens in large industries such as
banking or even within large enterprises
needs to be managed. In addition to
deployment costs, multi-factor
authentication often carries significant
additional support costs. A 2008
survey[39] of over 120 U.S. credit unions
by the Credit Union Journal reported on
the support costs associated with two-
factor authentication. In their report,
software certificates and software
toolbar approaches were reported to
have the highest support costs.

Research into deployments of multi-

factor authentication schemes[40] has
shown that one of the elements that tend
to impact the adoption of such systems
is the line of business of the organization
that deploys the multi-factor
authentication system. Examples cited
include the U.S. government, which
employs an elaborate system of physical
tokens (which themselves are backed by
robust Public Key Infrastructure), as well
as private banks, which tend to prefer
multi-factor authentication schemes for
their customers that involve more
accessible, less expensive means of
identity verification, such as an app
installed onto a customer-owned
smartphone. Despite the variations that
exist among available systems that
organizations may have to choose from,
once a multi-factor authentication
system is deployed within an
organization, it tends to remain in place,
as users invariably acclimate to the
presence and use of the system and
embrace it over time as a normalized
element of their daily process of
interaction with their relevant information
system.

While the perception is that multi-factor

authentication is within the realm of
perfect security, Roger Grimes writes[41]
that if not properly implemented and
configured, multi-factor authentication
can in fact be easily defeated.

Patents
In 2013, Kim Dotcom claimed to have
invented two-factor authentication in a
2000 patent,[42] and briefly threatened to
sue all the major web services. However,
the European Patent Office revoked his
patent[43] in light of an earlier 1998 U.S.
patent held by AT&T.[44]

See also
Electronic authentication
Identity management
Multi-party authorization
Mutual authentication
Reliance authentication
Strong authentication
Universal 2nd Factor

References
1. "Two-factor authentication: What you
need to know (FAQ) – CNET" (https://ww
w.cnet.com/news/two-factor-authenticati
on-what-you-need-to-know-faq) . CNET.
Retrieved 2015-10-31.
2. Jacomme, Charlie; Kremer, Steve
(February 1, 2021). "An Extensive Formal
Analysis of Multi-factor Authentication
Protocols" (https://dl.acm.org/doi/10.114
5/3440712) . ACM Transactions on
Privacy and Security. New York City:
Association for Computing Machinery. 24
(2): 1–34. doi:10.1145/3440712 (https://
doi.org/10.1145%2F3440712) .
ISSN 2471-2566 (https://www.worldcat.or
g/issn/2471-2566) . S2CID 231791299 (h
ttps://api.semanticscholar.org/CorpusID:
231791299) .
3. kaitlin.boeckl@nist.gov (2016-06-28).
"Back to basics: Multi-factor
authentication (MFA)" (https://web.archiv
e.org/web/20210406235123/https://ww
w.nist.gov/itl/applied-cybersecurity/tig/b
ack-basics-multi-factor-authentication) .
NIST. Archived from the original (https://
www.nist.gov/itl/applied-cybersecurity/ti
g/back-basics-multi-factor-authenticatio
n) on 2021-04-06. Retrieved 2021-04-06.
4. Barrett, Brian (July 22, 2018). "How to
Secure Your Accounts With Better Two-
Factor Authentication" (https://www.wire
d.com/story/two-factor-authentication-ap
ps-authy-google-authenticator/) . Wired.
Retrieved 12 September 2020.
5. "Configuring One-Time Passwords" (http
s://www.sonicwall.com/support/knowled
ge-base/configuring-one-time-password
s/170505594681886/) .
www.sonicwall.com. Sonic Wall.
Retrieved 19 January 2022.
6. van Tilborg, Henk C.A.; Jajodia, Sushil,
eds. (2011). Encyclopedia of
Cryptography and Security, Volume 1.
Berlin, Germany: Springer Science &
Business Media. p. 1305.
ISBN 9781441959058.
7. Cao, Liling; Ge, Wancheng (2015-03-10).
"Analysis and improvement of a multi-
factor biometric authentication scheme:
Analysis and improvement of a MFBA
scheme" (https://onlinelibrary.wiley.com/
doi/10.1002/sec.1010) . Security and
Communication Networks. 8 (4): 617–
625. doi:10.1002/sec.1010 (https://doi.or
g/10.1002%2Fsec.1010) .
8. "Does Kim Dotcom have original 'two-
factor' login patent?" (https://www.thegua
rdian.com/technology/2013/may/23/kim
-dotcom-authentication-patents) . the
Guardian. 2013-05-23. Retrieved
2022-11-02.
 9. EP 0745961 (https://worldwide.espacene
t.com/textdoc?DB=EPODOC&IDX=EP074
5961) , "Transaction authorization and
alert system", issued 1996-12-04
10. Wang, Ding; He, Debiao; Wang, Ping; Chu,
Chao-Hsien (2014). "Anonymous Two-
Factor Authentication in Distributed
Systems: Certain Goals Are Beyond
Attainment" (http://eprint.iacr.org/2014/1
35.pdf) (PDF). IEEE Transactions on
Dependable and Secure Computing.
Piscataway, New Jersey: Institute of
Electrical and Electronics Engineers.
Retrieved 2018-03-23.
11. Andy Greenberg (2016-06-26). "So Hey
You Should Stop Using Texts For Two-
factor Authentication" (https://www.wire
d.com/2016/06/hey-stop-using-texts-two
-factor-authentication/) . Wired. Retrieved
2018-05-12.
12. "NIST is No Longer Recommending Two-
Factor Authentication Using SMS" (http
s://www.schneier.com/blog/archives/201
6/08/nist_is_no_long.html) . Schneier on
Security. August 3, 2016. Retrieved
November 30, 2017.
13. "Rollback! The United States NIST no
longer recommends "Deprecating SMS
for 2FA" " (https://blogs.sap.com/2017/0
7/06/rollback-the-united-states-nist-no-lo
nger-recommends-deprecating-sms-for-
2fa/) . July 6, 2017. Retrieved May 21,
2019.
14. Tung, Liam. "Google prompt: You can now
just tap 'yes' or 'no' on iOS, Android to
approve Gmail sign-in" (https://www.zdne
t.com/article/google-prompt-you-can-no
w-just-tap-yes-or-no-on-ios-android-to-app
rove-gmail-sign-in/) . ZD Net. ZD Net.
Retrieved 11 September 2017.
15. Chance Miller (2017-02-25). "Apple
prompting iOS 10.3" (https://9to5mac.co
m/2017/02/25/two-factor-authentication-
ios-10-3/) . 9to5 Mac. 9to5 Mac.
Retrieved 11 September 2017.
16. "How Russia Works on Intercepting
Messaging Apps – bellingcat" (https://we
b.archive.org/web/20160430211219/http
s://www.bellingcat.com/news/2016/04/3
0/russia-telegram-hack/) . bellingcat.
2016-04-30. Archived from the original (ht
tps://www.bellingcat.com/news/2016/0
4/30/russia-telegram-hack/) on 2016-
04-30. Retrieved 2016-04-30.
17. Kan, Michael (7 March 2019). "Google:
Phishing Attacks That Can Beat Two-
Factor Are on the Rise" (https://www.pcm
ag.com/news/367026/google-phishing-at
tacks-that-can-beat-two-factor-are-on-th
e) . PC Mag. Retrieved 9 September
2019.
18. Nichols, Shaun (10 July 2017). "Two-
factor FAIL: Chap gets pwned after 'AT&T
falls for hacker tricks' " (https://www.ther
egister.co.uk/2017/07/10/att_falls_for_h
acker_tricks/) . The Register. Retrieved
2017-07-11.
19. Toorani, Mohsen; Beheshti, A. (2008).
"SSMS - A secure SMS messaging
protocol for the m-payment systems".
2008 IEEE Symposium on Computers and
Communications. pp. 700–705.
arXiv:1002.3171 (https://arxiv.org/abs/10
02.3171) .
doi:10.1109/ISCC.2008.4625610 (https://
doi.org/10.1109%2FISCC.2008.462561
0) . ISBN 978-1-4244-2702-4.
S2CID 5066992 (https://api.semanticsch
olar.org/CorpusID:5066992) .
20. "Official PCI Security Standards Council
Site – Verify PCI Compliance, Download
Data Security and Credit Card Security
Standards" (https://www.pcisecuritystand
ards.org/document_library?document=pc
i_dss) . www.pcisecuritystandards.org.
Retrieved 2016-07-25.
21. Commission Delegated Regulation (EU)
2018/389 of 27 November 2017
supplementing Directive (EU) 2015/2366
of the European Parliament and of the
Council with regard to regulatory
technical standards for strong customer
authentication and common and secure
open standards of communication (Text
with EEA relevance.) (http://data.europa.e
u/eli/reg_del/2018/389/oj/eng) , 2018-
03-13, retrieved 2021-04-06
22. Agarwal, Surabhi (7 December 2016).
"Payment firms applaud RBI's move to
waive off two-factor authentication for
small value transactions" (https://econo
mictimes.indiatimes.com/news/econom
y/policy/payment-firms-applaud-rbis-mov
e-to-waive-off-two-factor-authentication-f
or-small-value-transactions/articleshow/
55856755.cms?from=mdr) . The
Economic Times. Retrieved 28 June
2020.
23. Nair, Vishwanath (6 December 2016).
"RBI eases two-factor authentication for
online card transactions up to Rs2,000" (h
ttps://www.livemint.com/Industry/bJmd
HvAuLVC5af1O0NCE0O/RBI-eases-rules-f
or-online-card-payments-up-to-Rs2000.ht
ml) . Livemint. Retrieved 28 June 2020.
24. "Uber now complies with India's two-
factor authentication requirement, calls it
unnecessary and burdensome" (https://ve
nturebeat.com/2014/11/30/uber-now-co
mplies-with-indias-two-factor-authenticati
on-requirement-calls-it-unnecessary-and-
burdensome/) . VentureBeat. 2014-11-
30. Retrieved 2021-09-05.
25. "Homeland Security Presidential Directive
12" (https://web.archive.org/web/201209
16062033/http://hspd12.usda.gov/about.
html) . Department of Homeland
Security. August 1, 2008. Archived from
the original (https://www.dhs.gov/homela
nd-security-presidential-directive-12) on
September 16, 2012.
26. "Frequently Asked Questions on FFIEC
Guidance on Authentication in an Internet
Banking Environment", August 15, 2006
27. "SANS Institute, Critical Control 10:
Secure Configurations for Network
Devices such as Firewalls, Routers, and
Switches" (https://web.archive.org/web/2
0130128051636/http://www.sans.org/cri
tical-security-controls/control.php?id=1
0) . Archived from the original (http://ww
w.sans.org/critical-security-controls/cont
rol.php?id=10) on 2013-01-28. Retrieved
2013-02-11.
28. "SANS Institute, Critical Control 12:
Controlled Use of Administrative
Privileges" (https://web.archive.org/web/
20130128051708/http://www.sans.org/c
ritical-security-controls/control.php?id=1
2) . Archived from the original (https://w
ww.sans.org/critical-security-controls/co
ntrol.php?id=12) on 2013-01-28.
Retrieved 2013-02-11.
29. "Digital Identity Guidelines" (https://page
s.nist.gov/800-63-3/) . NIST Special
Publication 800-63-3. NIST. June 22,
2017. Retrieved February 2, 2018.
30. "FFIEC Press Release" (https://www.ffiec.
gov/press/pr101205.htm) . 2005-10-12.
Retrieved 2011-05-13.
31. FFIEC (2006-08-15). "Frequently Asked
Questions on FFIEC Guidance on
Authentication in an Internet Banking
Environment" (https://www.ffiec.gov/pdf/
authentication_faq.pdf) (PDF). Retrieved
2012-01-14.
32. Brian Krebs (July 10, 2006). "Security Fix
– Citibank Phish Spoofs 2-Factor
Authentication" (http://voices.washington
post.com/securityfix/2006/07/citibank_p
hish_spoofs_2factor_1.html) .
Washington Post. Retrieved
20 September 2016.
33. Bruce Schneier (March 2005). "The
Failure of Two-Factor Authentication" (htt
p://www.schneier.com/blog/archives/200
5/03/the_failure_of.html) . Schneier on
Security. Retrieved 20 September 2016.
34. Alex Perekalin (May 2018). "Why you
shouldn't ever send verification codes to
anyone" (https://www.kaspersky.com/blo
g/dont-send-codes/22448/) . Kaspersky.
Retrieved 17 October 2020.
35. Siadati, Hossein; Nguyen, Toan; Gupta,
Payas; Jakobsson, Markus; Memon, Nasir
(2017). "Mind your SMSes: Mitigating
Social Engineering in Second Factor
Authentication" (https://pdf.sciencedirect
assets.com/271887/1-s2.0-S016740481
6X00089/1-s2.0-S016740481630116X/h
ossein_siadati_2_factor_authentication_2
016.pdf?X-Amz-Security-Token=IQoJb3Jp
Z2luX2VjENP%2F%2F%2F%2F%2F%2F%2
F%2F%2F%2FwEaCXVzLWVhc3QtMSJG
MEQCIFls5YUY0LGyGRrwbomiU9rrBZ2
R%2FRfqboim8siwSyySAiBPS0orDeRqEM
PmjlVh7MUsRYBph6nzRURGpWd8czSxp
Cq0AwgcEAMaDDA1OTAwMzU0Njg2NSI
MEI7ENcTPsaP%2BNTJRKpEDet8ij9eQ6x
sSxg%2BoHS7WUuFbnICk3PpBLRUDVRi
Sc%2F7vAzXA8wvZZj2FKeiGtfyqPwiKpG
YO84zcbeM66toUdH5TldEXDsrCsM%2B
XRaqMTnAZL7uMiN9WcVZYq4Y%2BV3jc
CPLvJQQ%2BygeE0%2FN4%2BhEiuE%2Bl
T8VoTvQ4w1nVavJHJSIhat1yVMNdnWB
ECeVjENNSyetZPTpfDZzTGkja6wirFjfC16
O2VEzT25pr%2F01DQr3hwNZYI3IPGa
W%2FLt2AprL1ASow%2FR8O3m3Dx8Cq
uh7ztC44LKmirjB0RhLHiG57vl5hXjo7Grs
058wW3fnajgZ4LPUpQw16aRl8%2FsFSB
Q56FvnqpXhpruB%2FFDRSQQUijfm1coU
CH8Ig3a%2Bfr4yDZO0VdxDwZiolP3DR9J
EKDA5GdLKuIUD98Q95GTjJbgrV8fkwSlx
JnsZEOXm%2BiNWkmw86IYADkGi0vJf4lj
kFcOF%2F25HWGTrEN6t4H5o3Qz%2Fg2
Xda%2B08syfvKlHU8se9qyvjLOnbL8Pk5L
2wlbA8bQXKEEQowuves%2FAU67AEmdjj
NU1v2pCLBXSlFpaJK9TPATRChtyGb4%2
FApNUdEmjpRjq%2FMUvhmn2jKQVGWV
XgNZXVWxU4xjPw28b4RvoyVhHyW5BKK
02YkwLkuBXVCFkkda%2FRqiVkRs1Xnnk
a%2BS8brs3UnpeTiba%2Bo6Nyyr8u5A
C%2F%2Fe8XY9E7j7mcjc%2B2BiHq72z2
p38Hq2N9VYorhTue2j4s0MzMO%2FP%2
BxluDhLj3t%2BTTEx8oHp2WTuLmsfS9B
Z0auhyIdLtwmBaGfkvblC9Rz7gF3cXcAH
7b%2B3dntsbIlyN%2Fv%2F%2FjpN2SMae
dRAjqpGPgM9Djwd5Wf2PkIsw%3D%3D&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Date=20201017T203032Z&X-Amz
-SignedHeaders=host&X-Amz-Expires=30
0&X-Amz-Credential=ASIAQ3PHCVTYTK
OGY25Q%2F20201017%2Fus-east-1%2Fs
3%2Faws4_request&X-Amz-Signature=61
9c75a511c25436d24350475537ac673c3
1c10482ee387f84f69f1178d48100&hash
=2c6ce64713d8a82123a8131735f9694fb
160d8917631f9891bf92250c3db3975&h
ost=68042c943591013ac2b2430a89b27
0f6af2c76d8dfd086a07176afe7c76c2c6
 1&pii=S016740481630116X&tid=pdf-50d
e935e-4a6c-47a7-9e75-f9ab650fd27a&si
d=1a982f804b94c14a223a7559135ada9
11313gxrqa&type=client) (PDF).
Computers & Security. 65: 14–28.
doi:10.1016/j.cose.2016.09.009 (https://
doi.org/10.1016%2Fj.cose.2016.09.009) .
S2CID 10821943 (https://api.semanticsc
holar.org/CorpusID:10821943) .
Retrieved 17 October 2020.
36. Shankland, Stephen. "Two-factor
authentication? Not as secure as you'd
expect when logging into email or your
bank" (https://www.cnet.com/news/two-f
actor-authentication-isnt-as-secure-as-yo
u-might-expect-world-password-day/) .
CNET. Retrieved 2020-09-27.
37. "The Failure of Two-Factor Authentication
– Schneier on Security" (https://www.sch
neier.com/blog/archives/2012/02/the_fai
lure_of_2.html) . schneier.com. Retrieved
23 October 2015.
38. Khandelwal, Swati. "Real-World SS7
Attack – Hackers Are Stealing Money
From Bank Accounts" (http://thehackerne
ws.com/2017/05/ss7-vulnerability-bank-
hacking.html) . The Hacker News.
Retrieved 2017-05-05.
39. "Study Sheds New Light On Costs, Effects
Of Multi-Factor" (http://www.cujournal.co
m/issues/12_15/-100094-1.html) . 4
April 2008.
40. Libicki, Martin C.; Balkovich, Edward;
Jackson, Brian A.; Rudavsky, Rena; Webb,
Katharine (2011). "Influences on the
Adoption of Multifactor Authentication" (h
ttps://www.rand.org/pubs/technical_repo
rts/TR937.html) .
41. "Hacking Multifactor Authentication |
Wiley" (https://www.wiley.com/en-us/Hac
king+Multifactor+Authentication-p-97811
19650805) . Wiley.com. Retrieved
2020-12-17.
42. US 6078908 (https://worldwide.espacene
t.com/textdoc?DB=EPODOC&IDX=US607
8908) , Schmitz, Kim, "Method for
authorizing in data transmission
systems"
43. Brodkin, Jon (23 May 2013). "Kim
Dotcom claims he invented two-factor
authentication—but he wasn't first" (http
s://web.archive.org/web/2019070909004
8/https://arstechnica.com/information-te
chnology/2013/05/kim-dotcom-claims-h
e-invented-two-factor-authentication-but-
he-wasnt-first/) . Ars Technica. Archived
from the original (https://arstechnica.co
m/information-technology/2013/05/kim-
dotcom-claims-he-invented-two-factor-au
thentication-but-he-wasnt-first/) on 9
July 2019. Retrieved 25 July 2019.
44. US 5708422 (https://worldwide.espacene
t.com/textdoc?DB=EPODOC&IDX=US570
8422) , Blonder, et al., "Transaction
authorization and alert system"

Further reading
 Brandom, Russell (July 10, 2017). "Two-
factor authentication is a mess" (https://w
ww.theverge.com/2017/7/10/15946642/t
wo-factor-authentication-online-security-m
ess) . The Verge. Retrieved July 10, 2017.

External links
Attackers breached Multi-factor
the servers of RSA authentication
at Wikipedia's
and stole information sister projects
that could be used to
compromise the Definitions
from
security of two-factor Wiktionary
authentication tokens Media from
Commons
used by 40 million Textbooks
employees from
Wikibooks
(register.com, 18 Mar
2011) (https://www.th Resources
from
eregister.co.uk/2011/ Wikiversity
03/18/rsa_breach_lea Data from
Wikidata
ks_securid_data/) Discussions
from Meta-
Banks to Use Two- Wiki
factor Authentication Documentati
on from
by End of 2006 (htt
MediaWiki
p://it.slashdot.org/art
icle.pl?sid=05/10/19/2340245&tid=17
2&tid=95) , (slashdot.org, 20 Oct 2005)
Microsoft to abandon passwords (http
s://web.archive.org/web/2008101107
3929/http://www.vnunet.com/vnunet/
news/2126966/microsoft-abandon-pa
sswords) , Microsoft preparing to
dump passwords in favour of two-
 factor authentication in forthcoming
versions of Windows (vnunet.com, 14
Mar 2005)

Retrieved from
"https://en.wikipedia.org/w/index.php?title=Multi-
factor_authentication&oldid=1131088613"

This page was last edited on 2 January 2023, at

14:04 (UTC). •
Content is available under CC BY-SA 3.0 unless
otherwise noted.