Two Factor Authentication

What is it?

Two factor authentication (2FA) is to require two authentication methods for access, each of them from a different authentication factor, along with an identification factor, in order to assure identity. Which factors are used does not matter. So, for instance, yesterday your CISO (Chief Information Security Officer) sent a memo to all employees, informing them that a new login policy, requiring a username, password and now a fingerprint scan upon each login, is effective immediately for system access. Your CISO has just implemented 2FA. In this case, your username is the identification factor. Your password and fingerprint, which are used to prove that your username belongs to you, are the authentication factors.

What isn’t it?

For a relatively simple concept, much confusion abounds about exactly what constitutes 2FA. For purposes of clarification, it might help to highlight what 2FA isn’t. It isn’t simply the act of requiring submittal of two pieces of information, from the user in question. So, for instance, a username + password combo is not two factor authentication, because the username is the identification factor, not an authentication factor.

It also is not the act of requiring two instances of (a set of two different values for) one given authentication factor. So, for instance, requiring a username and two passwords from a given user would not count. That would still be considered single factor authentication, because the two variables employed fall under the same authentication factor, which is “Something You Know.”

Additionally, adding a security question, such as “What is your mother’s maiden name,” would not make it 2FA. Your answer to said security question is another piece of information that you know, which means it falls under the same class of authentication factor that a password does.

Why bother?

2FA reduces the risk of failure of a weak factor or of any factor, in fact. For example, an employee uses a default or weak password, such as “password.” This password can be easily guessed, but paired with the requirement of a retina scan for system access, it instantly becomes more robust as a security measure, and is no longer a single point of failure, logically or physically. Proper implementation of 2FA is a fundamental part of good “layered security” a.k.a. “defense-in-depth” strategy.

To investigate whether your company might benefit from any of several approaches to 2FA, call us today.