Multi-factor authentication

Multi-factor authentication is an extension to two-factor authentication. The common demand for protection of physical or functional access is not fulfilled, when simple procedures allow for transfer of authenticity between members of staff or users or an authenticated access to a room or a work position is maintained, even when the requesting user leaves the room with the door open or the work position with the application not terminated or the account not closed.

Factorised authentication
Authentication with several factors is a common approach. An independent factor is understood as an information type requested to the user and the groupwise or individually distinct information response to be provided in return by the user.

When the factorial authentication information is not independent from another factor, the factor does not contribute to improvement of security, but just eases the handling and mostly reduces the security level.

Two factor authentication
Two factor authentication applies two independent authentication factors. See main article on Two factor authentication.

Three factor authentication
A problem with two factor authentication generally is the lack of significantly increased security: Answering a screen request with user name (factor 1) and password (factor 2) is some authentication, but does not prevent the following typical risks:

This list may be extended acknowledging threat variation reports. It is not a question of whether all these reports are authentic, dregs of success are sufficient to start thriving for improvement.
 * first factor user name is known to other persons as long as logically connected to vocal addressing the user
 * second factor password may be easily guessed by hacking due to shortness and /or binding to common vocabulary
 * second factor password is known to several users after giving knowledge to these individuals by the original owner
 * second factor password is unintentionally disclosed by visual or optical supervision of keyboard
 * typed password sequences are optically recorded
 * typed password sequences are electronically sniffed

The only solution is additional factors that may raise the effort to break through security fences, as far as these factors are independent.

Contributing factors
The variety of contribution to multi-factor authentication is vast, the offerings in industry are legion. For details see under the listed qqualities with the respective categories.

Pseudo-stochastic codes
A very well supported improvement are one-time-passwords. These passwords are numeric or alpha-numeric codes, generated by a code generator according to pseudo-stochastic algorithms. As long as the algorithm is kept secret and the code is strong, this is a secure added value for authentication. However, the keying in of the code rad from the generator and typed at a work position is a tedious procedure. And when the code generating utensil is lost, the securits problem may recur as with other püassword generation.

Location aware authentication
When the authenticity is kept valid until the user leaves the location where access was granted, the offenso to authentication procedures will generally require cooperation in any fraud attempts. Then, however, the only escape for a party threatening the registered user is imposing physical force to make this user present where authenticity is required.

Sufficient solutions are offered with RFID technology, where the readability of a wireless tag will fade out as soon as the user leaves the range of the respective reader. However, this RFID approach is not discriminating adjacent work positions when using long range readers. Hence the user may be limited in mobility at the work position. Additional freedom may be gained with RTLS technology, where the distance limit between the work position and the user or the relative position is assessed during the session at the work position.

Limiting validity
A strong approach to authentication is limiting the validity of authentication factors. There are several qualities of limitations:


 * local limits
 * A local limit may be the allowed distance between the user and a work position.


 * temporal limits
 * A temporal limit may be a time out after the last key access when the work position is closed.


 * modal limits
 * A modal limit may be the restricting of access to enrolled users with special allowance for a class, type or instance of function in a working context.


 * logical limits
 * The most simple restriction is not to allow authentication for a distinct individual at two locations at a time.

Time out limt
The time out limit is the most common security means. However, it is no active authentication factor, but just a restriction on granted access in time.

Walk off
The walk off limit is the most advanced security means. However, it is no active authentication factor, but just a restriction on granted access in distance. This method requires special measurement to detect an individual in contiguity of a certain location.

No second authentication
The single log-on limit is the most simple logical control. However, this restriction requires centralised online supervision in addition to central identity management.