Talk:Multi-factor authentication

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing (marked as Mid-importance).

Merge two-factor authentication into multi-factor authentication[edit]

The article for two-factor authentication describes all three authentication categories in detail. When I'm looking at the article for multi-factor authentication, what I'm really looking for is the information in two-factor authentication. "Two factor" simply refers to using two out of three, nothing more, thus the articles should be merged. Anongork (talk) 20:23, 1 October 2012 (UTC)

  • Strongly disgree. It should be easily intelligible, that a timely sequential process as with two dependent subsequent steps is different from a modally twofold process with two logically independent and different and liberately used factors in one context.Wireless friend (talk) 09:50, 25 May 2014 (UTC)Wireless friend (talk) 23:37, 19 July 2014 (UTC)
  • Agree. I understand that the two are different, but the difference can be explained in the MFA page. They are sufficiently similar that much of the same content applies to both, and writing two pages about them is redundant. Andrew (talk) 15:49, 27 November 2012 (UTC)
  • Strongly agree. This is a textbook case of concepts best treated together (like left handed and right handed). Besides the two-/multi- issue, "two-factor authentication" is a much more common term than "two-step verification." Check these searches of Ars Technica articles: 49 hits for "two-step verification" v. 671 for "two-factor authentication".—Neil 21:30, 6 February 2014 (UTC)
  • Akward. Two hands from two persons are much different from two hands of one person. Logic is more complicated than just counting.Wireless friend (talk) 23:41, 19 July 2014 (UTC)
  • Note. The following relevant discussion took place on Talk:Two-step verification. I've adding a notice directing further comments here. —Neil 23:44, 28 February 2014 (UTC)
  • This page should not really exist, and the "Two factor authentication" stub certainly should not redirect here (it should got to "multi factor authentication" instead). "Two step" is the promotional name google gave to their solution. 2FA is what the industry call this, not "two step". — Preceding unsigned comment added by (talk) 00:33, 9 November 2013 (UTC)
    • Agree. This page reads more like an ad for Google; one would think that Google invented this technology and that all others listed in the bulleted list came after. I daresay none of those listed use "Two-step verification", but rather "Two-Factor Authentication". If anything, Google should be a bullet on a page listing Two-Factor Authentications.Alphaman (talk) 21:28, 3 January 2014 (UTC)
    • Disagree. It appears that all those entities in the list given claim that they are using "Two-step verification". So there is definitely a place for this article in Wikipedia. It was definitely not intended as an advertisement for Google. If it sounds that way, could it be edited to make it look more neutral? Krishnachandranvn (talk) 01:31, 10 February 2014 (UTC)
    • Agree (partially). "Two factor authentication" stub certainly should not redirect here. However two-step verification is not the same thing as -- or even a googleism for -- two factor authentication. Two-step authentication simply involves "two steps", even if both of these are the same factor. For example, entering a PIN and using a software token constitutes two-step authentication but not two-factor authentication. (talk) 21:36, 18 February 2014 (UTC)


I suggest merging the "strong authentication" and "two-factor authentication" articles into the "multi-factor authentication" article. These three things are similar enough that one article can cover all three things, and also clearly point out the subtle but important differences between them. I would also support merging all three into an article titled "authentication factor". -- (talk) 18:21, 2 November 2009 (UTC)

-- (talk) 14:25, 7 July 2011 (UTC) Northox: I believe it should all be merged in Strong Authentication since Multi-Factor Authentication (which include Two-Factor Authentication) is the technique used to implement Strong Authentication requirements.

Multi-factor authentication is not synonymous with two-factor authentication[edit]

Multi-factor authentication can use more than two factors. It can use all the three factors (knowledge, possession, body properties). MFA is a more general term than TFA. --pabouk (talk) 09:03, 3 November 2009 (UTC)

I too want to be on record that Multi-factor authentication is not synonymous with two-factor authentication as MFA is more general than TFA. Wikiold1 (talk) 04:20, 31 December 2009 (UTC)

I agree. Still, I thing that articles should be merged. (talk) 13:34, 22 January 2010 (UTC)

TFA is not the same as MFA[edit]

From a risk and security perspective, Two factor is not the same as multi-factor. Two factor is just username and password which, from a security perspective, is not a high enough level and can be easily cracked. Multi factor is usually 3 items such as username, password and pin code or biometric. —Preceding unsigned comment added by (talk) 18:29, 6 May 2010 (UTC)

  • Everything you said depends on circumstance or is just simply wrong. -- 14:32, 26 May 2010 (UTC) —Preceding unsigned comment added by (talk)
  • Just simply wrong. "Username" is not a factor. Username and password is single factor authentication. RandyFranklinSmith (talk) 20:48, 14 July 2010 (UTC)
    • Quite right. The username is the identification -- the claim to the identity. The (secret) password is the additional input to the authentication process, used to prove that the identification is correct. And as to the security level of that, it depends entirely on the complexity of the password, and the degree to which it is independent of the identity (and perhaps a few things more). But I also think the article should not mention 'something the user knows' in the context of username, as this simply adds to the confusion between the identification and the factors used to decide if the identification is correct. Athulin (talk) 08:51, 30 July 2010 (UTC)
    • TFA is username/password and something else --- the username/password is considered 1 factor.

-- (talk) 14:40, 7 July 2011 (UTC)

  • Northox: Not it's not. Factors can only be three things: "something you known"/password/pin/passphrase, "something you have"/token, "something you are"/biometric. A username is not a factor. It a public identifier. Using only a password is One-Factor Authentication. While using a password a Token and a PIN to unlock the token is: something you have and two times something you known. Some people consider this as being Three-Factor Authentication but it's not, if we refer to the intent of the factors: "From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.". I personally like to refer to this has Type 112 authentication in regard with NCSC-TG-017 types (two times type 1 (something known) and one type 2 (something you have))

No 'theory' or 'model' of n-factor authentication?[edit]

It seems to me that someone must have formulated a model and requirements somewhere -- on the lines of database normalization rules, say. If that has been done, it should be pretty clear that two-factor authentication is just a special case of multi-factor authentication, and it would probably help a lot in clearing up mistakes such as thinking that the identity is a factor, and not what is to be proved.

Such a model should probably have one main input (the identity to be proved), the different 'factors' that are used in that proof as additional inputs, and one output (TRUE/FALSE) indicating if the authentication was successful or not. There must be additional requirements -- taking the inspiration from database normalization, it seems pretty clear that the 'factors' should be independent of each other and the identity (and perhaps also 'the world at large') if the authentication should be any good. In that kind of model a two-factor authentication is a process that needs two 'factors' as additional input for the decision.

And such a model should probably also help clarify some smart-card based authentication models. For instance, the model where user enters an identity, and then inserts a smart card, which, in turn, requires a PIN code to generate the additional 'factor', is obviously single factor authentication, as the decision if the stated identity is correct is based on one single factor. The PIN code is not used in that decision at all but another, unrelated, one -- it's more of a 1+1 situation.

But surely something like this must have been done?Athulin (talk) 08:51, 30 July 2010 (UTC)

  • Out-of-Band solutions are at least two-factor and much more secure because of the multitude of systems that must be compromised in order to gain access...but all of these conversations would be moot if the customer Access Point was secure in the first place. Which will require customer education and certain controls the bank needs to have on customer APs that access their core network; such as DNS restriction, approved A-V programs, and patch updating. — Preceding unsigned comment added by (talk) 17:39, 12 July 2011 (UTC)

"True" multifactor on the internet: isn't this a distinction without a difference?[edit]

Most of the examples given for "something the user is" and "something the user has" are facts the bank can't directly verify over an internet connection. When I log into my bank's website using a card number and password, the bank doesn't know that I "have" the card, just that I know the card number (in fact, many times I don't have the card: I have the number memorized, making it no different from a username). Even for fingerprints, the bank wouldn't really know that I had that fingerprint. They would only know that I had some input device that was capable of producing the same sequence of bits that scanning my fingerprint produces, which is not at all difficult, if you know what sequence of bits to copy. I can see how this works if the bank controls all the hardware, but in the context of online banking, how is n-factor authentication better than having n different passwords of equivalent length & entropy? AFAICT they're not any more resistant to phishing or packet-sniffing. (More resistant to being written on a sticky note, sure, but very few hackers actually do home visits.) A major downside I can think of is that card numbers are more of a hassle to change if compromised, and fingerprints are not only (reasonably) impossible to change, but must be reused between different service providers. I think it would help the article if someone could explain why multifactor is harder to compromise. Is it just that typically, real-world passwords are not as long/random? Or is there something else? -- (talk) 01:41, 6 November 2012 (UTC)

Two-factor vs two-step[edit]

I'd just like to point out that true two-factor authentication requires both factors simultaneously. By comparison, Google's "2-step" authentication requires each factor in sequence and thus is less secure. This is because an attacker gets feedback regarding the correctness of the first factor before having to provide the second. In true two-factor authentication the attacker gets no feedback until both factors have been supplied correctly. The weakest of all is asking for two factors but only requiring one, i.e. "Provide your password OR your ID card".

In terms of security, they rank as follows from most secure to least secure:

  1. Two-factor authentication
  2. Two-step authentication
  3. Single-factor authentication
  4. Either/Or authentication

--JHP (talk) 13:38, 19 April 2013 (UTC)

Re: "Social Network Factor" - Please do not add unapproved factors to this article[edit]

"Social Network Factor" is not a factor recognized or approved by the FFIEC or any regulatory body. There are three factors approved by the FFIEC and only these three factors are defined in CJIS, FFIEC, HIPAA, and other regulatory guidelines. These three factors are "Something the user knows", "Something the user is", and "Something the user has". Adding other possible factors, such as "someone the user knows", simply confuses individuals who are reading this article in order to comply with regulatory requirements. You might just as easily make up factors such as "Something the user does", "Something the user smells", or "Someplace the user visits". While they may possibly work as authentication factors, they are not approved by the regulatory agencies whose compliance the reader may be attempting to satisfy. — Preceding unsigned comment added by (talk) 15:32, 16 July 2013 (UTC)

This page is titled "Multifactor Authentication" and it describes and discusses the 3 authentication factors identified with Homeland Security Presidential Directive 12 (HSPD-12), the FFIEC's numerous publications, CJIS guidelines, and publications of other government entities. These 3 factors are specifically identified by these agencies, who are tasked with auditing private industry for adherence to these 3 factors. Permitting the addition of spurious "other" factors to be added to this page only confuses readers wishing to learn about the 3 approved authentication factors. While there may be other forms of authentication, such as "someone the user knows", "someplace the user visits", or "something the user smells", these other forms of authentication have not been approved or recognized by the regulatory agencies, whose compliance the reader must satisfy. A vendor or lab promoting these other factors will not help a bank or hospital who must satisfy federal regulators who wish to see compliance within the 3 approved authentication factors. If you wish to talk about other authentication factors, you should do so on another Wikipedia page not related to "Multifactor authentication". — Preceding unsigned comment added by (talk) 00:35, 17 July 2013 (UTC)

Additional from the article's background header: "The U.S. Federal Financial Institutions Examination Council issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors." — Preceding unsigned comment added by (talk) 00:40, 17 July 2013 (UTC)

Dead Link Replacement[edit]

Reference 10 is a dead link. It should be replaced by a link to I do not know how to edit the link. Would someone please fix it?—Gggustafson (talk) 16:06, 8 October 2013 (UTC)


Evan Hahn has compiled the most extensive list of sites that offer TFA or MFA that I have seen. It is located here: — Preceding unsigned comment added by (talk) 20:23, 10 December 2013 (UTC)

Under construction[edit]

There is no need to report what is missing on this page as long as under construction. Thank you.Wireless friend (talk) 08:07, 12 May 2009 (UTC)

On compromised smartphones[edit]

Under the SMS section, should there be a discussion about what happens if the user's smartphone is compromised (hacked)? E.g., I rely on two 2-factor authentication services. Both use SMS tokens. If my smartphone was compromised, I assume the attacker could perform keylogging when I enter my password (e.g. through the browser), then log in at a later time while hiding the SMS token it received. If this attack is done through a trojan I assume it could affect users in bulk. Would e.g. Google's current security scheme be able to prevent this scenario? Bjornte (talk) 07:59, 19 March 2014 (UTC)

Knowledge and Possession confusion - chapter missing[edit]

There's a big confusion in what is knowledge and what is possession. In my opinion, everything that can get easily copied is knowledge. It doesn't matter if this is a 5-character password or a 10-page long certificate. Length shouldn't matter, so both are knowledge. The same applies to soft-tokens and all that related stuff. Even smartcards, as long as you can read the content, are knowledge. And for RSA tokens (and similar) they are knowledge if you know the seed value and the used algorithm. If we compare that to the traditional possession factor, a physical key to a lock, we can also copy it when we know the specifications of the holes etc, so my argument about knowledge has to be taken carefully. I think the difference is that we are mainly talking about IT systems and anything there that can be copied by software is knowledge, no matter how sophisticated the software has to be. Anything that requires some hardware (TPM, HSM, Smartcard that doesn't reveal keys, etc.) is possession. I don't like that companies tell us they have 2FA when they just use some softtokens or certificates - that's no 2FA for me. Can we add some chapter about this confusion, different opinions or whatever to this article? -- (talk) 09:07, 17 April 2014 (UTC)