[author: Sean Lawless]
Every morning we sit down at our computers and provide our credentials to the network; user name and password. It has become such a ubiquitous part of modern life, we have a user name and password to everything, we even have password management applications. This system of challenge and response is designed to prove to the system who you are or authenticate you as a valid user. As I discussed in my previous blog post, who you are and what you do also may determine your permissions within the system if Role Based Access Controls are in place.
Multi-factor authentication (MFA) is a method of more securely verifying the identity of a user of any given system. The multi-factor comes from requiring more than one piece of identifying information. In the challenge response example above, user name and password is something you know. MFA requires two or more pieces of information from the following categories.
-
Knowledge: something you know (user names, passwords, PIN)
-
Possession: something you have (secure token, bank card, cell phone)
-
Inheritance: something you are (fingerprint, retina, biometric)
A subset of MFA is two factor authentication (2FA), which is a widely implemented version. Originally patented in the early 1980s for use with automated teller machines, the customer needs their bank card and they need to know the PIN (something they knew and something they had). Two-factor authentication has become extremely common, especially in the internet and ‘app’ space. A common method of 2FA is when providers text a code to your mobile phone after a successful challenge and response. Something you know is your user name and password, something you have is your mobile phone.
Most service providers support 2FA but you may need to request that it be enabled for your account. You can check if your provider supports 2FA by checking https://twofactorauth.org/.
