Two-factor authentication (T-FA) is any authentication protocol that requires two independent ways to establish identity and privileges. This contrasts with traditional password authentication, which requires only one factor (knowledge of a password) in order to gain access to a system.

Common implementations of two-factor authentication use 'something you know' as one of the two factors, and use either 'something you have' or 'something you are' as the other factor. Using more than one factor of authentication is also called strong authentication; using just one factor, for example just a password, is considered by some weak authentication. A common example of T-FA is a bank card (credit card, debit card); the card itself is the physical item, and the personal identification number (PIN) is the data that goes with it. See Chip and PIN for more information on this. Two-factor authentication is a form of strong authentication. Strong authentication also includes multi-factor that do not include a physical factor (card or dongle). The multiple factors can both be online for strong authentication.

According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. However, Bruce Schneier argues T-FA is still vulnerable to trojan and man-in-the-middle attacks.The Failure of Two-Factor Authentication (Bruce Schneier, March 2005)

Deployment of T-FA tools such as smart cards and USB tokens appears to be increasing. More organizations are adding a layer of security to the desktop that requires users to physically possess a token, and have knowledge of a PIN or password in order to access company data. However, there are still some drawbacks to two-factor authentication that are keeping the technology from widespread deployment. Some consumers have difficulty keeping track of one more object in their life. Also many two-factor authentication solutions are proprietary and protected by patents. The result is a substantial annual fee per person protected and a lack of interoperability.

Types of factors

---

The three most commonly recognized factors are:

• 'Something you know', such as a password or PIN
• 'Something you have', such as a credit card or hardware token
• 'Something you are', such as a fingerprint, a retinal pattern, or other biometric.

Other, less common factors may include:

• cybermetric authentication, such as only allowing access from the certain computer, which is the combination of unique hardware and (or) software installed
• location-based authentication, such as only allowing a particular atm, charge, or credit card to be used at a specific merchant or at a specific bank branch, or only allowing root access from specific terminals
• time-based authentication, such as only allowing access from certain accounts during normal working hours
• size-based authorization, such as only allowing a specific transaction to be for a specific exact amount
• pre-authorized transactions, such as where a company uploads all of the check numbers and amounts written for each check to their bank, and the bank would then reject any check not of those numbers and amounts as fraudulent

Tokens

---

The most common forms of the 'something you have' are smart cards and USB tokens. Differences between the smart card and USB token are diminishing. Both technologies include a microcontroller, an OS, a security application and a secured storage area. There are some distinguishing differences, however.

Biometrics

In both cases vendors are beginning to add biometric readers on the devices, thereby providing multi-factor authentication. Users biometrically authenticate via their fingerprint to the smart card or token and then enter a PIN or password in order to open the credential vault. However, whilst this type of authentication is suitable in limited application, when a large number of users are involved results in this solution being unacceptably slow and comparatively expensive.

Mobile phones

A new category of T-FA tools transforms the PC user's mobile phone into a token device using SMS messaging. While such a method simplifies deployment and does away with the need of proprietary hardware token devices, there are trade-offs such as the recurring cost of SMS messages sent. Companies have also succeeded in incorporating a security token into a standard credit card.

Smart cards

Smart cards, such as those offered by VASCO, RSA Security and ActivIdentity, are about the same size as a credit card. Some vendors, such as HID and RSA Security, are offering or developing smart cards that perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce network logon credentials. They can also serve as ID badges. The downside is that the smart card is a bigger device, the card reader is an extra expense.

Universal Serial Bus

A USB token has different form factor; it can't fit in a wallet, but can easily be attached to a key ring. A USB port is standard equipment on today's computers, and USB tokens generally have a much larger storage capacity for logon credentials than smart cards. Booleansoft, RSA Security, VASCO, and Aladdin Knowledge Systems are examples of vendors offering USB tokens as part of their T-FA solutions.

Other types

Manufacturers such as RSA Security and Vasco also offer a One Time Password (OTP) token that displays on an LCD screen a pseudo-random number of six or more digits that changes every sixty seconds which, when added to a static number known to the user, becomes a two-factor ID. Manufacturers such as Aladdin Knowledge Systems and ActivIdentity offer Hybrid tokens that provide all the capabilities of USB tokens and smart cards with OTP-based two-factor authentication in detached mode.

Booleansoft has CD tokens in different sizes and forms. When the token is inserted into a PC CDROM drive, then software stored on the CD authenticates the client in question.

The challenges of authentication

---

So if smart cards or USB tokens provide all this security, why isn't everybody deploying them? It would seem to be a logical line of defense against intrusions and information loss.

Despite the security advantages of strong authentication its adoption is not yet widespread. There are several factors that contribute to this.

Product proliferation

The first challenge to face is the difficulty of deploying the client PC software required to make these systems work. Most vendors have created separate installation packages for network login, Web access credentials and VPN connection credentials. In other words, you may have four or five different software packages to push down to the client PC in order to make use of the token or smart card. This translates to four or five packages on which you also have to perform version control and ensure don't conflict with your business applications. If access can be operated using web pages, it is possible to limit the overheads outlined above to a single application.

User password management

Users have natural problems retaining a single factor like a password. It is not uncommon to for users to be expected to remember dozens of unique passwords. T-FA, where one factor is a password or PIN code, does not eliminate this problem. One possible solution is to have the second factor be a biometric, instead of an entity that the user needs to memorize.

Interoperability of authentication mechanisms

Two-factor authentication is not standardized. There are various implementations of it. Therefore, interoperability is an issue.

Cost effectiveness

Adding a second factor in the authentication mechanism could lead to increase in costs for implementation and maintenance. Most systems are proprietary and charge an annual fee per user in the $50-100 USD range. Deployment of hardware tokens is logistical challenge. Hardware tokens may get damaged or lost and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed. Therefore, an analysis on the cost and benefit should be made before deciding on a stronger authentication mechanism.

Password security

Another concern is the security of the T-FA tools and their systems. Several products store passwords in plain text for either the token or smart card software or its associated management server. In either case this largely negates one factor of the authentication since although an intruder could easily find the password/PIN used to authenticate to the device, they still need to be in possession of the relevant token or smart card for this type of attack to work.

There is a further argument that purports that there is nothing to stop a user (or intruder) from manually providing logon credentials that are stored on a token or smart card. For example to show all passwords stored in Internet Explorer, all an intruder has to do is to boot the Microsoft Windows OS into safe mode (with network support) and to scan the hard drive (using certain freely available utilities). However, making it necessary for the physical token to be in place at all times during a session can negate this.

Software security

Another concern when deploying smart cards, USB tokens, or other T-FA systems is the security of the software loaded on to users' computers. Token Effort, "USB tokens aren't as strong as you think." (TechTarget, Jul 2004) A token may store a user's credentials securely, but the potential for breaking the system is then shifted to the software interface between the hardware token and the OS, potentially rendering the added security of the T-FA system useless.

Market segments

---

Market segments in regards to two-factor authentication are:

• Enterprise
  • Secure remote access
  • Enterprise authentication
  • B2B transactions
• Consumer
  • Online banking
  • Electronic commerce
  • ISP's
• Government
  • Common authentication
  • Biometrics

Related technologies

---

Two-factor authentication solutions sometimes includes technologies to generate one-time passwords, a few solutions also include single sign-on (SSO) technology.

Examples

---

Some examples of two-factor authentication include:

• America Online's Passcode service, in which users get a small handheld six-digit numeric code key. To log onto an AOL account equipped with the service, users must enter the six-digits, which refresh on the device every 60 seconds, in addition to the user's standard password.
• Booleansoft's Digital Signature Solution, which provides USB and CD tokens to all their users.
• United States Department of Defense is implementing a Common Access Card, a smartcard with PIN.
• IBM/Lenovo's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.
• RSA's SecurID product.
• Green Armor Solutions' Identity Cues Two Factor which uses a combination of device identification and out-of-band passwords.
• Aladdin Knowledge Systems' eToken product.
• VeriSign's Unified Authentication managed service, in which enterprises deploy USB tokens to all their users and VeriSign manages the infrastructure.
• WiKID Systems' open source two-factor authentication system on Sourceforge

See also

---

• Authentication#Multifactor authentication
• Mutual Authentication
• Identity management
• Security token

References

---

External links

---

• Why Authenticating Once is Not Enough
• Microsoft to abandon passwords, Microsoft preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows (vnunet.com, 14 Mar 2005)
• Banks to Use Two-factor Authentication by End of 2006,(slashdot.org, 20 Oct 2005)
• White Paper: Key Human-Factors Issues Affecting Consumer Two-Factor Authentication and Mutual Authentication (July 2006)

Authentication methods | Identity management systems

Authentification forte