«
»

Authentication means knowing who is on the other end of the line. Authentication is essential before you share any non-public information with the other person whether you are sharing it by phone, email, instant messaging or in person. Authentication is based on one of three "factors":

  • Something you are – recognizing your face, voice, fingerprint, signature, etc.
  • Something you have – a car key, a digital certificate on your computer, an ID card or security token
  • Something you know – a password, the last four of your SSN, mother’s maiden name, etc.

Multi-Factor Authentication means checking against two or more of those types of authentications. For example, the HELP Desk might check caller ID to see if you are calling from your own phone (something you have) and still ask for your employee ID number (something you know). A debit card is another form of two-factor authentication. You need both the physical card and the four digit PIN to get cash out of the ATM. Authentication methods that use more than one factor are more difficult to compromise than single-factor methods.

In the weaker sense, multi-factor authentication is sometimes interpreted as asking for two things you know – a password and a PIN. This is better protection than just asking for a single password but considerably weaker than proper multi-factor authentication. If a hacker knows enough to compromise your password, they are also likely to be able to compromise your PIN. Still, internet sites which require both a password and PIN have added “friction” to the process. They force the hacker to do more work and make it more likely that the hacker will go somewhere else instead.

This entry was posted by Mike Rossander on 2006 October 9 at 00:00 under Definitions. You can leave a response, or trackback from your own site. Follow any responses to this entry through the RSS 2.0 feed.

Leave a Reply