Professional Documents
Culture Documents
authentication
Factors
Authentication takes place when
someone tries to log into a computer
resource (such as a network, device, or
application). The resource requires the
user to supply the identity by which the
user is known to the resource, along with
evidence of the authenticity of the user's
claim to that identity. Simple
authentication requires only one such
piece of evidence (factor), typically a
password. For additional security, the
resource may require more than one
factor—multi-factor authentication, or
two-factor authentication in cases where
exactly two pieces of evidence are to be
supplied.[1]
The use of multiple authentication
factors to prove one's identity is based
on the premise that an unauthorized
actor is unlikely to be able to supply the
factors required for access. If, in an
authentication attempt, at least one of
the components is missing or supplied
incorrectly, the user's identity is not
established with sufficient certainty and
access to the asset (e.g., a building, or
data) being protected by multi-factor
authentication then remains blocked. The
authentication factors of a multi-factor
authentication scheme may include:[2]
Knowledge
Possession
Inherent
Location
Advantages:
No additional tokens are necessary
because it uses mobile devices that
are (usually) carried all the time.
As they are constantly changed,
dynamically generated passcodes are
safer to use than fixed (static) log-in
information.
Depending on the solution, passcodes
that have been used are automatically
replaced in order to ensure that a valid
code is always available,
transmission/reception problems do
not, therefore, prevent logins.
Disadvantages:
Users may still be susceptible to
phishing attacks. An attacker can send
a text message that links to a spoofed
website that looks identical to the
actual website. The attacker can then
get the authentication code, user name
and password.[17]
A mobile phone is not always available
—it can be lost, stolen, have a dead
battery, or otherwise not work.
Despite their growing popularity, some
users may not even own a mobile
device, and take umbrage at being
required to own one as a condition of
using some service on their home PC.
Mobile phone reception is not always
available—large areas, particularly
outside of towns, lack coverage.
SIM cloning gives hackers access to
mobile phone connections. Social-
engineering attacks against mobile-
operator companies have resulted in
the handing over of duplicate SIM
cards to criminals.[18]
Text messages to mobile phones using
SMS are insecure and can be
intercepted by IMSI-catchers. Thus
third parties can steal and use the
token.[19]
Account recovery typically bypasses
mobile-phone two-factor
authentication.[1]
Modern smartphones are used both
for receiving email and SMS. So if the
phone is lost or stolen and is not
protected by a password or biometric,
all accounts for which the email is the
key can be hacked as the phone can
receive the second factor.
Mobile carriers may charge the user
for messaging fees.
European Union
India
In India, the Reserve Bank of India
mandated two-factor authentication for
all online transactions made using a
debit or credit card using either a
password or a one-time password sent
over SMS. This was temporarily
withdrawn in 2016 for transactions up to
₹2,000 in the wake of the November
2016 banknote demonetisation. Vendors
such as Uber have mandated by the bank
to amend their payment processing
systems in compliance with this two-
factor authentication rollout.[22][23][24]
United States
Details for authentication for federal
employees and contractors in the U.S.
are defined in Homeland Security
Presidential Directive 12 (HSPD-12).[25]
Security
According to proponents, multi-factor
authentication could drastically reduce
the incidence of online identity theft and
other online fraud, because the victim's
password would no longer be enough to
give a thief permanent access to their
information. However, many multi-factor
authentication approaches remain
vulnerable to phishing,[32] man-in-the-
browser, and man-in-the-middle
attacks.[33] Two-factor authentication in
web applications are especially
susceptible to phishing attacks,
particularly in SMS and e-mails, and, as a
response, many experts advise users not
to share their verification codes with
anyone,[34] and many web application
providers will place an advisory in an e-
mail or SMS containing a code.[35]
Implementation
Many multi-factor authentication
products require users to deploy client
software to make multi-factor
authentication systems work. Some
vendors have created separate
installation packages for network login,
Web access credentials, and VPN
connection credentials. For such
products, there may be four or five
different software packages to push
down to the client PC in order to make
use of the token or smart card. This
translates to four or five packages on
which version control has to be
performed, and four or five packages to
check for conflicts with business
applications. If access can be operated
using web pages, it is possible to limit
the overheads outlined above to a single
application. With other multi-factor
authentication technology such as
hardware token products, no software
must be installed by end-users.
Patents
In 2013, Kim Dotcom claimed to have
invented two-factor authentication in a
2000 patent,[42] and briefly threatened to
sue all the major web services. However,
the European Patent Office revoked his
patent[43] in light of an earlier 1998 U.S.
patent held by AT&T.[44]
See also
Electronic authentication
Identity management
Multi-party authorization
Mutual authentication
Reliance authentication
Strong authentication
Universal 2nd Factor
References
1. "Two-factor authentication: What you
need to know (FAQ) – CNET" (https://ww
w.cnet.com/news/two-factor-authenticati
on-what-you-need-to-know-faq) . CNET.
Retrieved 2015-10-31.
2. Jacomme, Charlie; Kremer, Steve
(February 1, 2021). "An Extensive Formal
Analysis of Multi-factor Authentication
Protocols" (https://dl.acm.org/doi/10.114
5/3440712) . ACM Transactions on
Privacy and Security. New York City:
Association for Computing Machinery. 24
(2): 1–34. doi:10.1145/3440712 (https://
doi.org/10.1145%2F3440712) .
ISSN 2471-2566 (https://www.worldcat.or
g/issn/2471-2566) . S2CID 231791299 (h
ttps://api.semanticscholar.org/CorpusID:
231791299) .
3. kaitlin.boeckl@nist.gov (2016-06-28).
"Back to basics: Multi-factor
authentication (MFA)" (https://web.archiv
e.org/web/20210406235123/https://ww
w.nist.gov/itl/applied-cybersecurity/tig/b
ack-basics-multi-factor-authentication) .
NIST. Archived from the original (https://
www.nist.gov/itl/applied-cybersecurity/ti
g/back-basics-multi-factor-authenticatio
n) on 2021-04-06. Retrieved 2021-04-06.
4. Barrett, Brian (July 22, 2018). "How to
Secure Your Accounts With Better Two-
Factor Authentication" (https://www.wire
d.com/story/two-factor-authentication-ap
ps-authy-google-authenticator/) . Wired.
Retrieved 12 September 2020.
5. "Configuring One-Time Passwords" (http
s://www.sonicwall.com/support/knowled
ge-base/configuring-one-time-password
s/170505594681886/) .
www.sonicwall.com. Sonic Wall.
Retrieved 19 January 2022.
6. van Tilborg, Henk C.A.; Jajodia, Sushil,
eds. (2011). Encyclopedia of
Cryptography and Security, Volume 1.
Berlin, Germany: Springer Science &
Business Media. p. 1305.
ISBN 9781441959058.
7. Cao, Liling; Ge, Wancheng (2015-03-10).
"Analysis and improvement of a multi-
factor biometric authentication scheme:
Analysis and improvement of a MFBA
scheme" (https://onlinelibrary.wiley.com/
doi/10.1002/sec.1010) . Security and
Communication Networks. 8 (4): 617–
625. doi:10.1002/sec.1010 (https://doi.or
g/10.1002%2Fsec.1010) .
8. "Does Kim Dotcom have original 'two-
factor' login patent?" (https://www.thegua
rdian.com/technology/2013/may/23/kim
-dotcom-authentication-patents) . the
Guardian. 2013-05-23. Retrieved
2022-11-02.
9. EP 0745961 (https://worldwide.espacene
t.com/textdoc?DB=EPODOC&IDX=EP074
5961) , "Transaction authorization and
alert system", issued 1996-12-04
10. Wang, Ding; He, Debiao; Wang, Ping; Chu,
Chao-Hsien (2014). "Anonymous Two-
Factor Authentication in Distributed
Systems: Certain Goals Are Beyond
Attainment" (http://eprint.iacr.org/2014/1
35.pdf) (PDF). IEEE Transactions on
Dependable and Secure Computing.
Piscataway, New Jersey: Institute of
Electrical and Electronics Engineers.
Retrieved 2018-03-23.
11. Andy Greenberg (2016-06-26). "So Hey
You Should Stop Using Texts For Two-
factor Authentication" (https://www.wire
d.com/2016/06/hey-stop-using-texts-two
-factor-authentication/) . Wired. Retrieved
2018-05-12.
12. "NIST is No Longer Recommending Two-
Factor Authentication Using SMS" (http
s://www.schneier.com/blog/archives/201
6/08/nist_is_no_long.html) . Schneier on
Security. August 3, 2016. Retrieved
November 30, 2017.
13. "Rollback! The United States NIST no
longer recommends "Deprecating SMS
for 2FA" " (https://blogs.sap.com/2017/0
7/06/rollback-the-united-states-nist-no-lo
nger-recommends-deprecating-sms-for-
2fa/) . July 6, 2017. Retrieved May 21,
2019.
14. Tung, Liam. "Google prompt: You can now
just tap 'yes' or 'no' on iOS, Android to
approve Gmail sign-in" (https://www.zdne
t.com/article/google-prompt-you-can-no
w-just-tap-yes-or-no-on-ios-android-to-app
rove-gmail-sign-in/) . ZD Net. ZD Net.
Retrieved 11 September 2017.
15. Chance Miller (2017-02-25). "Apple
prompting iOS 10.3" (https://9to5mac.co
m/2017/02/25/two-factor-authentication-
ios-10-3/) . 9to5 Mac. 9to5 Mac.
Retrieved 11 September 2017.
16. "How Russia Works on Intercepting
Messaging Apps – bellingcat" (https://we
b.archive.org/web/20160430211219/http
s://www.bellingcat.com/news/2016/04/3
0/russia-telegram-hack/) . bellingcat.
2016-04-30. Archived from the original (ht
tps://www.bellingcat.com/news/2016/0
4/30/russia-telegram-hack/) on 2016-
04-30. Retrieved 2016-04-30.
17. Kan, Michael (7 March 2019). "Google:
Phishing Attacks That Can Beat Two-
Factor Are on the Rise" (https://www.pcm
ag.com/news/367026/google-phishing-at
tacks-that-can-beat-two-factor-are-on-th
e) . PC Mag. Retrieved 9 September
2019.
18. Nichols, Shaun (10 July 2017). "Two-
factor FAIL: Chap gets pwned after 'AT&T
falls for hacker tricks' " (https://www.ther
egister.co.uk/2017/07/10/att_falls_for_h
acker_tricks/) . The Register. Retrieved
2017-07-11.
19. Toorani, Mohsen; Beheshti, A. (2008).
"SSMS - A secure SMS messaging
protocol for the m-payment systems".
2008 IEEE Symposium on Computers and
Communications. pp. 700–705.
arXiv:1002.3171 (https://arxiv.org/abs/10
02.3171) .
doi:10.1109/ISCC.2008.4625610 (https://
doi.org/10.1109%2FISCC.2008.462561
0) . ISBN 978-1-4244-2702-4.
S2CID 5066992 (https://api.semanticsch
olar.org/CorpusID:5066992) .
20. "Official PCI Security Standards Council
Site – Verify PCI Compliance, Download
Data Security and Credit Card Security
Standards" (https://www.pcisecuritystand
ards.org/document_library?document=pc
i_dss) . www.pcisecuritystandards.org.
Retrieved 2016-07-25.
21. Commission Delegated Regulation (EU)
2018/389 of 27 November 2017
supplementing Directive (EU) 2015/2366
of the European Parliament and of the
Council with regard to regulatory
technical standards for strong customer
authentication and common and secure
open standards of communication (Text
with EEA relevance.) (http://data.europa.e
u/eli/reg_del/2018/389/oj/eng) , 2018-
03-13, retrieved 2021-04-06
22. Agarwal, Surabhi (7 December 2016).
"Payment firms applaud RBI's move to
waive off two-factor authentication for
small value transactions" (https://econo
mictimes.indiatimes.com/news/econom
y/policy/payment-firms-applaud-rbis-mov
e-to-waive-off-two-factor-authentication-f
or-small-value-transactions/articleshow/
55856755.cms?from=mdr) . The
Economic Times. Retrieved 28 June
2020.
23. Nair, Vishwanath (6 December 2016).
"RBI eases two-factor authentication for
online card transactions up to Rs2,000" (h
ttps://www.livemint.com/Industry/bJmd
HvAuLVC5af1O0NCE0O/RBI-eases-rules-f
or-online-card-payments-up-to-Rs2000.ht
ml) . Livemint. Retrieved 28 June 2020.
24. "Uber now complies with India's two-
factor authentication requirement, calls it
unnecessary and burdensome" (https://ve
nturebeat.com/2014/11/30/uber-now-co
mplies-with-indias-two-factor-authenticati
on-requirement-calls-it-unnecessary-and-
burdensome/) . VentureBeat. 2014-11-
30. Retrieved 2021-09-05.
25. "Homeland Security Presidential Directive
12" (https://web.archive.org/web/201209
16062033/http://hspd12.usda.gov/about.
html) . Department of Homeland
Security. August 1, 2008. Archived from
the original (https://www.dhs.gov/homela
nd-security-presidential-directive-12) on
September 16, 2012.
26. "Frequently Asked Questions on FFIEC
Guidance on Authentication in an Internet
Banking Environment", August 15, 2006
27. "SANS Institute, Critical Control 10:
Secure Configurations for Network
Devices such as Firewalls, Routers, and
Switches" (https://web.archive.org/web/2
0130128051636/http://www.sans.org/cri
tical-security-controls/control.php?id=1
0) . Archived from the original (http://ww
w.sans.org/critical-security-controls/cont
rol.php?id=10) on 2013-01-28. Retrieved
2013-02-11.
28. "SANS Institute, Critical Control 12:
Controlled Use of Administrative
Privileges" (https://web.archive.org/web/
20130128051708/http://www.sans.org/c
ritical-security-controls/control.php?id=1
2) . Archived from the original (https://w
ww.sans.org/critical-security-controls/co
ntrol.php?id=12) on 2013-01-28.
Retrieved 2013-02-11.
29. "Digital Identity Guidelines" (https://page
s.nist.gov/800-63-3/) . NIST Special
Publication 800-63-3. NIST. June 22,
2017. Retrieved February 2, 2018.
30. "FFIEC Press Release" (https://www.ffiec.
gov/press/pr101205.htm) . 2005-10-12.
Retrieved 2011-05-13.
31. FFIEC (2006-08-15). "Frequently Asked
Questions on FFIEC Guidance on
Authentication in an Internet Banking
Environment" (https://www.ffiec.gov/pdf/
authentication_faq.pdf) (PDF). Retrieved
2012-01-14.
32. Brian Krebs (July 10, 2006). "Security Fix
– Citibank Phish Spoofs 2-Factor
Authentication" (http://voices.washington
post.com/securityfix/2006/07/citibank_p
hish_spoofs_2factor_1.html) .
Washington Post. Retrieved
20 September 2016.
33. Bruce Schneier (March 2005). "The
Failure of Two-Factor Authentication" (htt
p://www.schneier.com/blog/archives/200
5/03/the_failure_of.html) . Schneier on
Security. Retrieved 20 September 2016.
34. Alex Perekalin (May 2018). "Why you
shouldn't ever send verification codes to
anyone" (https://www.kaspersky.com/blo
g/dont-send-codes/22448/) . Kaspersky.
Retrieved 17 October 2020.
35. Siadati, Hossein; Nguyen, Toan; Gupta,
Payas; Jakobsson, Markus; Memon, Nasir
(2017). "Mind your SMSes: Mitigating
Social Engineering in Second Factor
Authentication" (https://pdf.sciencedirect
assets.com/271887/1-s2.0-S016740481
6X00089/1-s2.0-S016740481630116X/h
ossein_siadati_2_factor_authentication_2
016.pdf?X-Amz-Security-Token=IQoJb3Jp
Z2luX2VjENP%2F%2F%2F%2F%2F%2F%2
F%2F%2F%2FwEaCXVzLWVhc3QtMSJG
MEQCIFls5YUY0LGyGRrwbomiU9rrBZ2
R%2FRfqboim8siwSyySAiBPS0orDeRqEM
PmjlVh7MUsRYBph6nzRURGpWd8czSxp
Cq0AwgcEAMaDDA1OTAwMzU0Njg2NSI
MEI7ENcTPsaP%2BNTJRKpEDet8ij9eQ6x
sSxg%2BoHS7WUuFbnICk3PpBLRUDVRi
Sc%2F7vAzXA8wvZZj2FKeiGtfyqPwiKpG
YO84zcbeM66toUdH5TldEXDsrCsM%2B
XRaqMTnAZL7uMiN9WcVZYq4Y%2BV3jc
CPLvJQQ%2BygeE0%2FN4%2BhEiuE%2Bl
T8VoTvQ4w1nVavJHJSIhat1yVMNdnWB
ECeVjENNSyetZPTpfDZzTGkja6wirFjfC16
O2VEzT25pr%2F01DQr3hwNZYI3IPGa
W%2FLt2AprL1ASow%2FR8O3m3Dx8Cq
uh7ztC44LKmirjB0RhLHiG57vl5hXjo7Grs
058wW3fnajgZ4LPUpQw16aRl8%2FsFSB
Q56FvnqpXhpruB%2FFDRSQQUijfm1coU
CH8Ig3a%2Bfr4yDZO0VdxDwZiolP3DR9J
EKDA5GdLKuIUD98Q95GTjJbgrV8fkwSlx
JnsZEOXm%2BiNWkmw86IYADkGi0vJf4lj
kFcOF%2F25HWGTrEN6t4H5o3Qz%2Fg2
Xda%2B08syfvKlHU8se9qyvjLOnbL8Pk5L
2wlbA8bQXKEEQowuves%2FAU67AEmdjj
NU1v2pCLBXSlFpaJK9TPATRChtyGb4%2
FApNUdEmjpRjq%2FMUvhmn2jKQVGWV
XgNZXVWxU4xjPw28b4RvoyVhHyW5BKK
02YkwLkuBXVCFkkda%2FRqiVkRs1Xnnk
a%2BS8brs3UnpeTiba%2Bo6Nyyr8u5A
C%2F%2Fe8XY9E7j7mcjc%2B2BiHq72z2
p38Hq2N9VYorhTue2j4s0MzMO%2FP%2
BxluDhLj3t%2BTTEx8oHp2WTuLmsfS9B
Z0auhyIdLtwmBaGfkvblC9Rz7gF3cXcAH
7b%2B3dntsbIlyN%2Fv%2F%2FjpN2SMae
dRAjqpGPgM9Djwd5Wf2PkIsw%3D%3D&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Date=20201017T203032Z&X-Amz
-SignedHeaders=host&X-Amz-Expires=30
0&X-Amz-Credential=ASIAQ3PHCVTYTK
OGY25Q%2F20201017%2Fus-east-1%2Fs
3%2Faws4_request&X-Amz-Signature=61
9c75a511c25436d24350475537ac673c3
1c10482ee387f84f69f1178d48100&hash
=2c6ce64713d8a82123a8131735f9694fb
160d8917631f9891bf92250c3db3975&h
ost=68042c943591013ac2b2430a89b27
0f6af2c76d8dfd086a07176afe7c76c2c6
1&pii=S016740481630116X&tid=pdf-50d
e935e-4a6c-47a7-9e75-f9ab650fd27a&si
d=1a982f804b94c14a223a7559135ada9
11313gxrqa&type=client) (PDF).
Computers & Security. 65: 14–28.
doi:10.1016/j.cose.2016.09.009 (https://
doi.org/10.1016%2Fj.cose.2016.09.009) .
S2CID 10821943 (https://api.semanticsc
holar.org/CorpusID:10821943) .
Retrieved 17 October 2020.
36. Shankland, Stephen. "Two-factor
authentication? Not as secure as you'd
expect when logging into email or your
bank" (https://www.cnet.com/news/two-f
actor-authentication-isnt-as-secure-as-yo
u-might-expect-world-password-day/) .
CNET. Retrieved 2020-09-27.
37. "The Failure of Two-Factor Authentication
– Schneier on Security" (https://www.sch
neier.com/blog/archives/2012/02/the_fai
lure_of_2.html) . schneier.com. Retrieved
23 October 2015.
38. Khandelwal, Swati. "Real-World SS7
Attack – Hackers Are Stealing Money
From Bank Accounts" (http://thehackerne
ws.com/2017/05/ss7-vulnerability-bank-
hacking.html) . The Hacker News.
Retrieved 2017-05-05.
39. "Study Sheds New Light On Costs, Effects
Of Multi-Factor" (http://www.cujournal.co
m/issues/12_15/-100094-1.html) . 4
April 2008.
40. Libicki, Martin C.; Balkovich, Edward;
Jackson, Brian A.; Rudavsky, Rena; Webb,
Katharine (2011). "Influences on the
Adoption of Multifactor Authentication" (h
ttps://www.rand.org/pubs/technical_repo
rts/TR937.html) .
41. "Hacking Multifactor Authentication |
Wiley" (https://www.wiley.com/en-us/Hac
king+Multifactor+Authentication-p-97811
19650805) . Wiley.com. Retrieved
2020-12-17.
42. US 6078908 (https://worldwide.espacene
t.com/textdoc?DB=EPODOC&IDX=US607
8908) , Schmitz, Kim, "Method for
authorizing in data transmission
systems"
43. Brodkin, Jon (23 May 2013). "Kim
Dotcom claims he invented two-factor
authentication—but he wasn't first" (http
s://web.archive.org/web/2019070909004
8/https://arstechnica.com/information-te
chnology/2013/05/kim-dotcom-claims-h
e-invented-two-factor-authentication-but-
he-wasnt-first/) . Ars Technica. Archived
from the original (https://arstechnica.co
m/information-technology/2013/05/kim-
dotcom-claims-he-invented-two-factor-au
thentication-but-he-wasnt-first/) on 9
July 2019. Retrieved 25 July 2019.
44. US 5708422 (https://worldwide.espacene
t.com/textdoc?DB=EPODOC&IDX=US570
8422) , Blonder, et al., "Transaction
authorization and alert system"
Further reading
Brandom, Russell (July 10, 2017). "Two-
factor authentication is a mess" (https://w
ww.theverge.com/2017/7/10/15946642/t
wo-factor-authentication-online-security-m
ess) . The Verge. Retrieved July 10, 2017.
External links
Attackers breached Multi-factor
the servers of RSA authentication
at Wikipedia's
and stole information sister projects
that could be used to
compromise the Definitions
from
security of two-factor Wiktionary
authentication tokens Media from
Commons
used by 40 million Textbooks
employees from
Wikibooks
(register.com, 18 Mar
2011) (https://www.th Resources
from
eregister.co.uk/2011/ Wikiversity
03/18/rsa_breach_lea Data from
Wikidata
ks_securid_data/) Discussions
from Meta-
Banks to Use Two- Wiki
factor Authentication Documentati
on from
by End of 2006 (htt
MediaWiki
p://it.slashdot.org/art
icle.pl?sid=05/10/19/2340245&tid=17
2&tid=95) , (slashdot.org, 20 Oct 2005)
Microsoft to abandon passwords (http
s://web.archive.org/web/2008101107
3929/http://www.vnunet.com/vnunet/
news/2126966/microsoft-abandon-pa
sswords) , Microsoft preparing to
dump passwords in favour of two-
factor authentication in forthcoming
versions of Windows (vnunet.com, 14
Mar 2005)
Retrieved from
"https://en.wikipedia.org/w/index.php?title=Multi-
factor_authentication&oldid=1131088613"