Types of Multi-factor Authentication Evidence

Pan Li
3 min readJul 10, 2021

--

MFA diagram

Multi-factor authentication, or MFA for short, is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user’s identity, to make sure you are who you claimed to be, in accessing user data. The goal of MFA is to create an extra layered defense that makes it more difficult for an unauthorized person to access the target. If one form of your credential, such as your password, has been leaked, the attacker would still have at least one more barrier to break into before accessing your data.

The usage of MFA in consumer products, which evolved from two-factor authentication popularized by tech giants, soon gained recognition and was adopted by authorities across multiple fields. This blog is to serve as an introduction to understanding the qualifications and formats of each category of evidence in MFA. The basic formats of credentials are knowledge, something you know, possession, something you own, inherent, something you are. With the recent development of technological advancement, location and time factors are being considered as ways to authenticate.

Knowledge

Knowledge factors are the most commonly used form of authentication. The user is required to prove knowledge of a secret in order to gain access. The secret is a word or string of characters that can be either alphabetic, numeric, or alphamerical. The common form includes user password for login, security questions during the password recovery process, and PIN number when using one’s debit card. The security questions we often see during a password recovery process are also a form of knowledge factor.

Possession

Possession factors, something you have, have been a mechanism for user authentication for centuries, in the form of a key to a lock. The basic principle is that there’s a secret only known to the key and the corresponding lock. In the digital era, we have invented security tokens that are in three major forms, disconnected tokens, connected tokens, and soft tokens.

Physical token image — disconnected tokens and connected tokens
Connected token and disconnected token by RSA

Disconnected tokens have no connections to the client machine,. They typically use a built-in screen to display the generated authentication data, which the user will enter to the client machine by a keyboard or pin pad. Connected tokens on the other hand will be connected to the client machine for authentication data to be transmitted automatically.

Soft tokens are generated authentication codes that can be stored and duplicated in a general-purpose electronic device such as a personal computer, mobile phone, or pager if you know what that is. Modern usage of this factor would be an authentication code being sent to a mobile device through SMS, a personal email address.

Inherent

Inherent factors are usually biometric methods that are associated with the user. The gatekeeper would have a biometric scanner to match the data from the users’ database before permitting user access. Typical methods are fingerprint, face, voice, or iris recognition. Behavioral biometrics such as keystroke dynamics can also be used.

Location

Increasingly, the location factor has been using as an additional security factor in the MFA techniques. Users may have to be hard-wired or connected to a particular WIFI hot spot in terms to access the service endpoint. Netflix uses IP addresses from users to determine which service area the user is located to provide different contents under the copyright in the local area.

Time

Time factors can also be incorporated into the authentication process. Server modulators can limit access to a certain group of users in certain time periods.

It’s only considered an MFA when combining two or more credentials from different authentication factors. While asking for a user to enter their password with a soft token sent to their personal mobile phone in real-time would be considered as an MFA, scanning their fingerprint and iris wouldn’t be. I’m gonna do some digging into technologies in programming with this mindset and see what I can come up with. Stay tuned to see my next mini project on MFA.

Link to my GitHub

Find me on LinkedIn

--

--

Pan Li
Pan Li

Written by Pan Li

Software Engineer, React.js || Javascript || RoR

No responses yet