The 5 Factors of Authentication

Renan Dias
8 min readDec 8, 2017

Nowadays, the terms “Multi-Factor Authentication”, “Two-Factor Authentication” or “Dual-Factor Authentication” are becoming more and more common. You probably associate multi-factor authentication with entering a username or email, a password and a token which expires after 30 seconds. But is it really just that?
What inspired me to write this article was a conversation that I recently had with a colleague. When I asked if he was protecting his e-mail account with two-factor authentication, he said he was because every time he had to log in, he was asked for his email and password. Well, email and password, 2 factors, right? Not quite. After reading this article, you will understand that email and password are not two factors — they are one!

What is a factor?

A factor is a type of authentication. When you claim to be someone, you need to provide further information to prove that you are who you say you are. For instance, suppose that you go to an ATM and use your credit card. After the card is inserted into the machine, it will be used to claim an identity. Now, how does the ATM know that whoever is in possession of the card is the owner of the card? It knows it by asking something that only the owner would be able to provide! That could be a password, a fingerprint or a 6–8 digit code which expires after a certain number of seconds. These are all different types of information which are used for authentication purposes — they are factors of authentication.

Factor #1: Something you know

An information is classified as something you know if you store it in your memory and can retrieve it when needed. For instance, a password, an answer to a security question or a Personal Identification Number (PIN). Now, you might say: “but if the password is 40-characters long, I won’t remember it!”. That is true, to an extent. However long a password may be, you can always memorize it. I agree that memorizing passwords nowadays is not advisable (i.e. you should really use a Password Manager) but it is something that can be done.

Are usernames and email addresses a something you know factor?

Not really. Usernames and email addresses are only used to claim an identity. A password or PIN (a type of authentication) is then used to prove the identity (i.e. to authenticate).

Factor #2: Something you have

This factor refers to information that you can (physically) carry with you. For example, before you send money to someone, many banks will ask you for a token (also referred to as one-time password and usually 6–8 digits long) that expires either after first use or after 30 seconds. The token is usually generated by a device such as the RSA SecurID (or depending on the bank, they might offer a mobile application which generates the token). See figure below.

RSA SecurID

There are two open standards for generating these tokens: HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP). Essentially, HOTP generates a token which does not expire until the user uses it for the first time (after which a new token will need to be generated). TOTP generates a token every 30 seconds. If a user does not use it within 30 seconds, a new token will be automatically generated.
Tokens are not classified as something you know because, well, you don’t know the token until you actually see it!

Another example would be a Personal Identity Verification (PIV) card. PIV is a smart card used by the U.S federal agencies to identify the cardholder and grant them access to facilities and systems:

Personal Identity Verification (PIV) card

These smart cards are usually used together with another factor such as something you know. To log into a system, for instance, the user would present the card and enter a password (dual-factor authentication).

Factor #3: Something you are

I am sure you are familiar with this one: Biometrics. Simply put, something you are is an information that is in you — it’s a characteristic that only you and no one else has it. That includes, but is not limited to, your fingerprint or thumbprint, palm, handprint, retina, iris, voice and face.

The GIF above is an example of how biometrics can be used for authentication.

Factor #4: Somewhere you are

This factor might not be as known as the ones already mentioned. Somewhere you are is related to your location. One of the most common methods of detecting a user’s location is via Internet Protocol (IP) addresses. For instance, suppose that you use a service which has Geolocation security checks. When you configure your account, you might say that you live in the United States. If someone tries to log in to your account from an IP address located in Germany, the service will probably notify you saying that a login attempt was made from a location different than yours. That is extremely useful to protect your account against hackers.
IP addresses, however, are not the only information that can be used for the somewhere you are factor. It is also possible to use Media Access Control (MAC) addresses. An organization might set up its network so only specific computers can be used to log in (based on MAC addresses). If an employee is trying to access the network from a different computer, the access will be denied.
As last example, Monzo Bank Ltd., a mobile-only bank based in the United Kingdom, uses Geolocation to detect possible payment frauds. If your last known location was, say, in France and then four minutes later your card is used in Japan, that could be an indication that you are not in the same location as your card.

Factor #5: Something you do

This is possibly the factor that is the least utilized — and probably not a lot of people know about it. Something you do is a type of authentication which proves identities by observing actions. These actions could be things like gestures or touches.
Windows 8 users might know about a feature called Picture Password. This feature allows the user to set up gestures and touches on a picture as a way to authenticate themselves.

Hopefully, that is not how you set up your gestures and touches! The GIF below shows how you can set up a Picture Password on Windows 8.

To set up a Picture Password, you need to first choose a picture, then mark it with actions (drawing a circle or a line or just clicking on a specific spot).

SFA, 2FA or MFA?

A system can use one or more factors for authentication. When only one factor is used, it is called Single-factor authentication. When two factors are used, it is called either Two-factor authentication or Dual-factor authentication. Finally, when two or more factors are used, it is called Multi-factor authentication.
The word multiple usually refers to more than one, which means that when two factors are being used, it can be referred to as either Two-factor or Multi-factor authentication.

Multi-step authentication vs Multi-factor authentication

Sometimes, instead of two-factor or multi-factor authentication, you will see two-step or multi-step authentication. What’s the difference between multi-step and multi-factor? The difference is that multi-step authentication validates factors separately and multi-factor authentication validates them all at once. Let me elaborate on that.

Think about a system which requires a username and a password, followed by a token. If the authentication is multi-factor, the system will not validate the username and password until the token is provided. They will all be validated at once. The advantage of this approach is that if the login fails, one cannot know whether the username, the password or the token was wrong. However, if the authentication is multi-step, the system will first validate the username and password. If both are correct, the token will be validated. This approach is not ideal because if the username and password are correct, the process then becomes single-factor authentication — the only unknown factor now is the token.

In some cases, multi-step and multi-factor authentication are used together, one after the other. You could, for instance, use multi-step to log into your computer and then use multi-factor to log into your company’s Virtual Private Network (VPN).

Bonus content: Out-of-Band Authentication

Out-of-Band (OOB) means that authentication factors are transmitted via different channels or networks. This means that the device you use to enter a factor (e.g. something you know), is different than the device you use to receive or generate another factor (e.g. something you have). For instance, if you are on a website in your computer and you enter your username and password and a token is required next, the token needs to be generated by a different channel — an application on a cell phone or a device such as the RSA SecurID.

An example of non-OOB authentication would be if the application used to generate tokens is located on the same device (e.g. computer or cell phone) as the one used to enter the username and password.

Use of Short Message Service (SMS) for Out-of-Band Authentication

According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker.

Conclusion

Using multi-factor authentication is a must nowadays. However, remember to always insert a factor into and retrieve another factor from different channels or networks (also known as independence between authentication factors). If you use services that require passwords to protect your accounts, try to use a password manager like 1Password to randomly generate and securely store your passwords.
Another important thing to note is that as technology advances, you will hear a lot about Biometrics as a way to authenticate. However, do not think that only biometrics is enough. By just having biometrics, you will still be relying on a single-factor, although it is said to be far more secure than a password.
Even if you do not work in the Information Technology industry, it is still important to know how to protect yourself virtually.

--

--

Renan Dias

Leading Security Engineering @ VTS. Follow me for all things Application/Cloud Security. Opinions are my own.