Multi-factor authentication

Contents 1 Regulatory Definition 2 True multi-factor authentication 3 Regulatory Compliance 3.1 October 12, 2005 3.2 August 15, 2006 3.3 June 22, 2011 4 See also 4.1 References

Regulatory Definition

US Federal regulators consistently recognize three authentication factors:

"Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods." -- Federal Financial Institutions Examination Council (FFIEC)^[1]

True multi-factor authentication

"True" multi-factor authentication requires the use of elements from two or more categories. Supplying a user name ("something the user knows") and password (more of "something the user knows") is still single factor authentication, despite the use of multiple pieces of distinct information. An example of true multi-factor authentication is requiring that the user also utilize a hardware token or virtual token™, a smart card or USB dongle, ("something the user has"), or a thumbprint or iris scanner ("something the user is").

At the same time they are validating the identity of the user, many online sites also attempt to confirm the validity of the site to the user (called "mutual authentication"). The weakest form of mutual authentication generally display an image and/or phrase previously selected by the user. More advanced forms of mutual authentication exchange a one-time key with the user's device.

Regulatory Compliance

October 12, 2005

On October 12, 2005, the Federal Financial Institutions Examination Council's (FFIEC) issued guidance for financial institutions recommending financial institutions conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. The FFIEC identified three authentication factors as:

• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint)

These guidelines recommended the use of “authentication methods that depend on more than one” of these three factor (i.e. “multifactor” authentication). Note, many vendors have attempted to define multi-factor authentication as utilizing "other factors" such as the user's behavior, however, those methods are not approved by the FFIEC.

August 15, 2006

Following the above publication, numerous authentication vendors began improperly promoting challenge-questions, secret images, and other knowledge-based methods as “multi-factor” authentication. Due to the resulting confusion and widespread adoption of such methods, on August 15, 2006, the FFIEC published supplemental guidelines clarifying that such methods do NOT constitute multi-factor authentication:

"By definition true multifactor authentication requires the use of solutions from TWO OR MORE of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication."

June 22, 2011

On June 22, 2011, the FFIEC published additional guidance recommending the use of “complex device identification”.

As described by the FFIEC in this guidance, complex device identification employs methods that do not easily permit the fraudster to "impersonate the legitimate customer". The FFIEC guidelines describe "one time" cookies based on the customer's underlying device fingerprint elements, as the preferred method of deploying "complex device identification".

"Simple device identification as described above can be distinguished from a more sophisticated form of this technique which uses “one-time” cookies and creates a more complex digital “fingerprint” by looking at a number of characteristics including PC configuration, Internet protocol address, geo-location, and other factors." (Supplement to Authentication in an Internet Banking Environment, Page 6)

As explianed by the FFIEC, there is a fundamental difference between "simple device identification" and "complex device identification". Simple device identification utilizes elements that can be easily replicated by the fraudster, such as device information such as the victim's IP address or geo-location. Identifying the IP, browser, and operating system elements does not constitute complex device identification because these elements can, and are, easily detected and "impersonated" by fraudsters. However, when these elements are incorporated into a one-time use cookie, the authentication of this “one time” cookie against these fingerprint elements constitutes a “complex device identification” process not easily impersonated by fraudsters.

The FFIEC does not endorse any commercial products or services. However, the "complex device identification" model outlined by the FFIEC describes a commercially available (and patent-pending) Virtual Token™ concept introduced in 2005 by the security company Sestus®. As described on the company's website, Virtual tokens™ utilize "one time" cookies based on "a complex digital fingerprint” utilizing a number of characteristics including PC configuration, Internet protocol address, geo-location, and other factors.

See also

• Authentication
• Authentication server
• Dongle
• Hardware Security Module
• Identity management
• Initiative For Open Authentication
• Mobile Signatures
• Mutual authentication
• Real time locating
• Real time location system
• Software token

References

1. ^ "FFIEC Press Release - October 12, 2005". 2005-10-12. http://www.ffiec.gov/press/pr101205.htm. Retrieved 2011-05-13.