What is Multi-Factor Authentication?

Oct 31, 2014

Understanding the concept of multi-factor authentication really isn't that hard, but it is an important step towards better digital security.


For this discussion authentication refers to the act of confirming someone’s identity and right to access data, funds, etc. When you want to get into your home you authenticate your identity and right to be there with a key. When you pay for something online you authenticate and prove your right to those funds with the information on the credit card. When you open up your iPhone you might authenticate with your fingerprint.

There are three main types of authentication:

Something You Have – Possession Factors

Possession factors require only that you have possession of something. One very old example would be a key – possession of that key opens a lock. Another would be a credit card that does not use the latest chip-and-PIN technology – simply having the credit card is enough to use it.

Possession factors – in the form of locks and keys – have been used for hundreds of years but most are vulnerable to one of a variety of different attacks and are not on their own adequately secure.

A more modern, and much more secure, possession factor is a mobile application like Google Authenticator which will be discussed later.

Something You Know – Knowledge Factors

Probably the most common form of authentication knowledge factors include things like passwords and PIN numbers. Other examples involve what are often referred to as “password recovery” or “secret questions” like “what was your mother’s maiden name?”

The great advantage of knowledge factors like passwords is that they are easily changed. The disadvantage is that, using modern technology, simple passwords are easily cracked, necessitating the use of complex passwords.

Unfortunately it is extremely difficult if not impossible for most people to remember more than a few strong passwords, and reusing even strong passwords is very dangerous. If your favorite “strong” password is comprised in a large scale attack on one retailer (for example) it means that all the accounts that use that account are compromised. To use passwords effectively you absolutely must commit to a sound password strategy.

Even strong, unique passwords can be hacked using techniques like keystroke logging and, once compromised, can be easily shared. This means that knowledge factors alone are not enough.

Something You Are – Inherence Factors

Inherence Factors typically involve biometrics – most often a fingerprint or retina scan, sometimes facial or voice recognition. The Touch ID home button on iOS devices is one popular example.

The first major disadvantage to biometrics is that they can, with varying degrees of difficulty, be copied. Many mobile devices that use facial recognition can be fooled simply by pointing them at a photograph of the owner of the device. Copying fingerprints is harder but not impossible. In this regard they are more secure than knowledge factors like passwords which can be shared very easily.

The second major disadvantage is that once a biometric factor has been compromised it cannot easily be changed. A password or PIN number can be changed. An ATM card can be replaced. You can’t change or replace a fingerprint.


Examples Single Factor Authentication

When you enter a key into a lock you are using a single possession factor. If instead you enter a combination or PIN number you are using a single knowledge factor. When you swipe a credit card you use a single possession factor. When you use your thumb to unlock your iPhone using the Touch ID feature you are using a single inherence factor.


Examples Of Multi-Factor Authentication

When you withdraw money from an ATM you are using two different factors. Something you have (the ATM card with data on the magnetic stripe) and something you know (the PIN number). The PIN does not appear on the card and is not stored on the magnetic stripe which means that simply having the card is not enough – the PIN number is something you have to know.

What about the CCV used with credit cards? This is very different than the PIN on ATM cards because the CVV code appears on the back of the credit card. It is not stored on the magnetic stripe, but it does appear on the card. That means that the card is the only factor that your need.

The newer chip-and-PIN technology which, like ATM cards, requires a separate PIN number that does not appear anywhere on the card addresses this weakness. This makes them much more secure. If you lose a credit card now you need to cancel it immediately because possession of that card is all someone needs to use it. With chip-and-PIN technology the card use useless without the accompanying PIN.

A less common example can be found at many data centers or higher security offices. These often employ a system that requires the visitor to first swipe an ID card or token (possession factor) and then submit to a fingerprint or retina scan.


As additional authentication factors are introduced security improves. An outstanding example of this is the Google Authenticator application.

Related Content

How To Migrate Google Authenticator To A New iPhone

Instructions on how to move Google Authenticator to a new iPhone so you don't lose access to accounts with two-factor authentication enabled.

Why Have Security Questions After Password Authentication?

Asking security questions after password authentication is not just pointless, it actually makes things less secure.

How To Securely Hide (and Encrypt) Files On Mac OS X

How to hide/secure files on your Mac: An easy approach to protecting your data by securing, hiding, and encrypting selected files and folders in Mac OS X.

Security Through Obscurity On Mac OS X – Better Solutions

A look at how security through obscurity (hiding files) is doomed to fail in Mac OS X, plus a look at some easy ways to truly secure files on your Mac.

Showing Hidden Files vs Hiding Regular Files in Mac OS X

They might seem like flip sides of the same coin but the techniques used to show hidden files on a Mac are not the best solution for securely hiding files.

What Does Incognito/Private Mode Really Mean?

The incognito or private mode in your web browser can offer you some additional privacy but not as much as you may think, and you still need to be careful.

"Your Apple Device has been locked..." Another Scam

Does "http://www.alerts-safari.info" say "Your Apple Device has been locked, due to security reasons"? Don't panic, it's not – just don't call the number!

Short Guide to (Finding, Sharing, etc.) SSH Keys on Mac OS X

A short guide to SSH keys and Mac OS X: How to create, find, share and add SSH Keys (and deal with related SSH errors and warnings) on Mac OS X.

Open Safari Without Opening Windows From The Last Session

How to open Safari without automatically re-opening windows/tabs from the last session. This can save you if you ever run into ransomware.

Multi-Factor Authentication With Google Authenticator

Using Google Authenticator to increase digital security through the use of multi-factor authentication.

Category List

Tag List

Tag Cloud