Along with digital identity, authentication is one of the pillars of digital trust. It involves certifying the identity of a person or machine so they can access a service or resource. Let’s take a look at the different simple or strong authentication factors, means and methods.
What is authentication?
Unlike identification, the purpose of authentication is to prove rather than simply establish an identity. Whereas identification means creating a digital identity, authentication uses this identity to prove, with varying levels of certainty, that it is the correct person or machine behind the identity.
To successfully establish then prove an identity, a means of authentication needs to be associated with each identity when it is created. In the physical world, it is the national ID card or passport which fulfills this role. These documents are renowned for being very difficult (or impossible) to falsify, although the level of difficulty varies from one country to another. In the digital world, when an account is created in a new service, in most cases the user is asked to provide a password as a means of authentication.
Strong or multi-factor authentication
There are three categories of authentication factor, or secret, for proving an identity:
- What I know (something that only the user knows): a password, PIN, etc.
- What I have (something that only the user has): a telephone, token, smart card, etc.
- What I am (something which characterizes the user in a unique way): biometrics.
However, with new uses come new categories such as what I can do (behavior) and where I am (position).
Current authentication is based on a single authentication factor, which is usually a password or code. It offers limited guarantees and is vulnerable to identity theft. That is why strong authentication, involving at least two different authentication factors, is becoming more prevalent.
The different means of authentication
Once the authentication factors have been defined, they need to be implemented using means of authentication. For example, entering the password for password knowledge; smart card for PIN knowledge and card possession; fingerprint, facial or voice recognition for biometrics; typing biometrics for behavior or GPS coordinates to identify the position.
Once the factors and means of authentication have been defined, an authentication method needs to be chosen. This is the framework for determining whether authentication has been successful and whether access is authorized or denied.
An authentication method takes different criteria into account such as:
- The means of authentication to be validated
- The coordinated or consecutive presentation of means
- Whether or not it is possible to provide a means of authentication other than the one requested
- The allowed number of failed authentications
- The maximum number of means of authentication changes in a row.
It is essential to consider authentication factors, means and methods in relation to business needs and security or regulatory challenges in order to define and design a strong authentication system that is both robust and smooth for users.