Along with digital identity, authentication is one of the pillars of digital trust. It involves certifying the identity of a person or machine so they can access a service or resource. Let’s take a look at the different simple or strong authentication factors, means and methods.
What is authentication?
Unlike identification, the purpose of authentication is to prove rather than simply establish an identity. Whereas identification means creating a digital identity, authentication uses this identity to prove, with varying levels of certainty, that it is the correct person or machine behind the identity.
To successfully establish then prove an identity, a means needs to be associated with each identity when it is created. In the physical world, it is the national ID card or passport which fulfills this role. These documents are renowned for being very difficult (or impossible) to falsify, although the level of difficulty varies from one country to another. In the digital world, when an account is created in a new service, in most cases the user is asked to provide a password as a means of authentication.
What does strong or multi-factor mean ?
There are three categories of factors, or secret, in order to prove an identity:
- What I know (something that only the user knows): a password, PIN, etc.
- What I have (something that only the user has): a telephone, token, smart card, etc.
- What I am (something which characterizes the user in a unique way): biometrics.
However, with new uses come new categories such as what I can do (behavior) and where I am (position).
Current authentication is based on a single factor, which is usually a password or code. It offers limited guarantees and is vulnerable to identity theft. That is why strong authentication, involving at least two different factors – also called two-factor, or 2FA – , is becoming more prevalent.
The different means
Once the factors have been defined, they need to be implemented using means used to authenticate. For example, entering the password for password knowledge; smart card for PIN knowledge and card possession; fingerprint, facial or voice recognition for biometrics; typing biometrics for behavior or GPS coordinates to identify the position.
Once the factors and means have been defined, a method needs to be chosen. This is the framework for determining whether it has been successful and whether access is authorized or denied.
An authentication method takes different criteria into account such as:
- The means to be validated
- The coordinated or consecutive presentation of means
- Whether or not it is possible to provide a mean other than the one requested
- The allowed number of failed authentications
- The maximum number of means of authentication changed in a row.
It is essential to consider authentication factors, means and methods in relation to business needs and security or regulatory challenges in order to define and design a strong system that is both robust and smooth for users.