|↓||Skip to table of contents||↓|
|This is the talk page for discussing improvements to the Multi-factor authentication article.|
|WikiProject Computer Security / Computing||(Rated C-class, High-importance)|
|This article is substantially duplicated by a piece in an external publication. Please do not flag this article as a copyright violation of the following source:|
- 1 Merge two-factor authentication into multi-factor authentication
- 2 merge
- 3 Multi-factor authentication is not synonymous with two-factor authentication
- 4 TFA is not the same as MFA
- 5 No 'theory' or 'model' of n-factor authentication?
- 6 "True" multifactor on the internet: isn't this a distinction without a difference?
- 7 Two-factor vs two-step
- 8 Re: "Social Network Factor" - Please do not add unapproved factors to this article
- 9 Dead Link Replacement
- 10 Examples
- 11 Under construction
- 12 On compromised smartphones
- 13 Knowledge and Possession confusion - chapter missing
- 14 Suggested merge?
Merge two-factor authentication into multi-factor authentication
I suggest merging the "strong authentication" and "two-factor authentication" articles into the "multi-factor authentication" article. These three things are similar enough that one article can cover all three things, and also clearly point out the subtle but important differences between them. I would also support merging all three into an article titled "authentication factor". --18.104.22.168 (talk) 18:21, 2 November 2009 (UTC)
--22.214.171.124 (talk) 14:25, 7 July 2011 (UTC) Northox: I believe it should all be merged in Strong Authentication since Multi-Factor Authentication (which include Two-Factor Authentication) is the technique used to implement Strong Authentication requirements.
Multi-factor authentication is not synonymous with two-factor authentication
Multi-factor authentication can use more than two factors. It can use all the three factors (knowledge, possession, body properties). MFA is a more general term than TFA. --pabouk (talk) 09:03, 3 November 2009 (UTC)
No, they aren't synonymous, but 2FA is a subset of MFA. There is nothing in the 2FA page that isn't also in the MFA page, you can't describe MFA without describing 2FA in the process, and there is nothing about MFA that makes it more difficult or complicated to explain than 2FA. No matter how you write the articles, a 2FA article will be completely redundant. I agree that these pages should be merged. Pavon (talk) 22:04, 19 November 2014 (UTC)
TFA is not the same as MFA
From a risk and security perspective, Two factor is not the same as multi-factor. Two factor is just username and password which, from a security perspective, is not a high enough level and can be easily cracked. Multi factor is usually 3 items such as username, password and pin code or biometric. —Preceding unsigned comment added by 126.96.36.199 (talk) 18:29, 6 May 2010 (UTC)
- Everything you said depends on circumstance or is just simply wrong. -- 14:32, 26 May 2010 (UTC) —Preceding unsigned comment added by 188.8.131.52 (talk)
- Just simply wrong. "Username" is not a factor. Username and password is single factor authentication. RandyFranklinSmith (talk) 20:48, 14 July 2010 (UTC)
- Quite right. The username is the identification -- the claim to the identity. The (secret) password is the additional input to the authentication process, used to prove that the identification is correct. And as to the security level of that, it depends entirely on the complexity of the password, and the degree to which it is independent of the identity (and perhaps a few things more). But I also think the article should not mention 'something the user knows' in the context of username, as this simply adds to the confusion between the identification and the factors used to decide if the identification is correct. Athulin (talk) 08:51, 30 July 2010 (UTC)
- TFA is username/password and something else --- the username/password is considered 1 factor.
- Northox: Not it's not. Factors can only be three things: "something you known"/password/pin/passphrase, "something you have"/token, "something you are"/biometric. A username is not a factor. It a public identifier. Using only a password is One-Factor Authentication. While using a password a Token and a PIN to unlock the token is: something you have and two times something you known. Some people consider this as being Three-Factor Authentication but it's not, if we refer to the intent of the factors: "From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.". I personally like to refer to this has Type 112 authentication in regard with NCSC-TG-017 types (two times type 1 (something known) and one type 2 (something you have))
- In the real world, 2FA is part of MFA. In fact there are no "standards" that in general cover implementations of MFA. Further, the Factors are NOT as specific as spelled out in the article. MFA could involve a username/password, and a pin and verification of an image. ONLY in the world of FAS are they specifically spelled out and if someone wishes to do pages on FAS standard NCSC-TG-017, then that would be fine. In the rest of the world, 2FA and MFA is not so precise. — Preceding unsigned comment added by Jwilleke (talk • contribs) 08:37, 26 October 2014 (UTC)
No 'theory' or 'model' of n-factor authentication?
It seems to me that someone must have formulated a model and requirements somewhere -- on the lines of database normalization rules, say. If that has been done, it should be pretty clear that two-factor authentication is just a special case of multi-factor authentication, and it would probably help a lot in clearing up mistakes such as thinking that the identity is a factor, and not what is to be proved.
Such a model should probably have one main input (the identity to be proved), the different 'factors' that are used in that proof as additional inputs, and one output (TRUE/FALSE) indicating if the authentication was successful or not. There must be additional requirements -- taking the inspiration from database normalization, it seems pretty clear that the 'factors' should be independent of each other and the identity (and perhaps also 'the world at large') if the authentication should be any good. In that kind of model a two-factor authentication is a process that needs two 'factors' as additional input for the decision.
And such a model should probably also help clarify some smart-card based authentication models. For instance, the model where user enters an identity, and then inserts a smart card, which, in turn, requires a PIN code to generate the additional 'factor', is obviously single factor authentication, as the decision if the stated identity is correct is based on one single factor. The PIN code is not used in that decision at all but another, unrelated, one -- it's more of a 1+1 situation.
- Out-of-Band solutions are at least two-factor and much more secure because of the multitude of systems that must be compromised in order to gain access...but all of these conversations would be moot if the customer Access Point was secure in the first place. Which will require customer education and certain controls the bank needs to have on customer APs that access their core network; such as DNS restriction, approved A-V programs, and patch updating. — Preceding unsigned comment added by 184.108.40.206 (talk) 17:39, 12 July 2011 (UTC)
"True" multifactor on the internet: isn't this a distinction without a difference?
Most of the examples given for "something the user is" and "something the user has" are facts the bank can't directly verify over an internet connection. When I log into my bank's website using a card number and password, the bank doesn't know that I "have" the card, just that I know the card number (in fact, many times I don't have the card: I have the number memorized, making it no different from a username). Even for fingerprints, the bank wouldn't really know that I had that fingerprint. They would only know that I had some input device that was capable of producing the same sequence of bits that scanning my fingerprint produces, which is not at all difficult, if you know what sequence of bits to copy. I can see how this works if the bank controls all the hardware, but in the context of online banking, how is n-factor authentication better than having n different passwords of equivalent length & entropy? AFAICT they're not any more resistant to phishing or packet-sniffing. (More resistant to being written on a sticky note, sure, but very few hackers actually do home visits.) A major downside I can think of is that card numbers are more of a hassle to change if compromised, and fingerprints are not only (reasonably) impossible to change, but must be reused between different service providers. I think it would help the article if someone could explain why multifactor is harder to compromise. Is it just that typically, real-world passwords are not as long/random? Or is there something else? --220.127.116.11 (talk) 01:41, 6 November 2012 (UTC)
Two-factor vs two-step
I'd just like to point out that true two-factor authentication requires both factors simultaneously. By comparison, Google's "2-step" authentication requires each factor in sequence and thus is less secure. This is because an attacker gets feedback regarding the correctness of the first factor before having to provide the second. In true two-factor authentication the attacker gets no feedback until both factors have been supplied correctly. The weakest of all is asking for two factors but only requiring one, i.e. "Provide your password OR your ID card".
In terms of security, they rank as follows from most secure to least secure:
- Two-factor authentication
- Two-step authentication
- Single-factor authentication
- Either/Or authentication
Re: "Social Network Factor" - Please do not add unapproved factors to this article
"Social Network Factor" is not a factor recognized or approved by the FFIEC or any regulatory body. There are three factors approved by the FFIEC and only these three factors are defined in CJIS, FFIEC, HIPAA, and other regulatory guidelines. These three factors are "Something the user knows", "Something the user is", and "Something the user has". Adding other possible factors, such as "someone the user knows", simply confuses individuals who are reading this article in order to comply with regulatory requirements. You might just as easily make up factors such as "Something the user does", "Something the user smells", or "Someplace the user visits". While they may possibly work as authentication factors, they are not approved by the regulatory agencies whose compliance the reader may be attempting to satisfy. — Preceding unsigned comment added by 18.104.22.168 (talk) 15:32, 16 July 2013 (UTC)
This page is titled "Multifactor Authentication" and it describes and discusses the 3 authentication factors identified with Homeland Security Presidential Directive 12 (HSPD-12), the FFIEC's numerous publications, CJIS guidelines, and publications of other government entities. These 3 factors are specifically identified by these agencies, who are tasked with auditing private industry for adherence to these 3 factors. Permitting the addition of spurious "other" factors to be added to this page only confuses readers wishing to learn about the 3 approved authentication factors. While there may be other forms of authentication, such as "someone the user knows", "someplace the user visits", or "something the user smells", these other forms of authentication have not been approved or recognized by the regulatory agencies, whose compliance the reader must satisfy. A vendor or lab promoting these other factors will not help a bank or hospital who must satisfy federal regulators who wish to see compliance within the 3 approved authentication factors. If you wish to talk about other authentication factors, you should do so on another Wikipedia page not related to "Multifactor authentication". — Preceding unsigned comment added by 22.214.171.124 (talk) 00:35, 17 July 2013 (UTC)
Additional from the article's background header: "The U.S. Federal Financial Institutions Examination Council issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors." — Preceding unsigned comment added by 126.96.36.199 (talk) 00:40, 17 July 2013 (UTC)
Dead Link Replacement
Reference 10 is a dead link. It should be replaced by a link to http://www.dhs.gov/homeland-security-presidential-directive-12. I do not know how to edit the link. Would someone please fix it?—Gggustafson (talk) 16:06, 8 October 2013 (UTC)
Evan Hahn has compiled the most extensive list of sites that offer TFA or MFA that I have seen. It is located here: http://evanhahn.com/tape/two-factor-auth-list/ — Preceding unsigned comment added by 188.8.131.52 (talk) 20:23, 10 December 2013 (UTC)
On compromised smartphones
Under the SMS section, should there be a discussion about what happens if the user's smartphone is compromised (hacked)? E.g., I rely on two 2-factor authentication services. Both use SMS tokens. If my smartphone was compromised, I assume the attacker could perform keylogging when I enter my password (e.g. through the browser), then log in at a later time while hiding the SMS token it received. If this attack is done through a trojan I assume it could affect users in bulk. Would e.g. Google's current security scheme be able to prevent this scenario? Bjornte (talk) 07:59, 19 March 2014 (UTC)
Knowledge and Possession confusion - chapter missing
There's a big confusion in what is knowledge and what is possession. In my opinion, everything that can get easily copied is knowledge. It doesn't matter if this is a 5-character password or a 10-page long certificate. Length shouldn't matter, so both are knowledge. The same applies to soft-tokens and all that related stuff. Even smartcards, as long as you can read the content, are knowledge. And for RSA tokens (and similar) they are knowledge if you know the seed value and the used algorithm. If we compare that to the traditional possession factor, a physical key to a lock, we can also copy it when we know the specifications of the holes etc, so my argument about knowledge has to be taken carefully. I think the difference is that we are mainly talking about IT systems and anything there that can be copied by software is knowledge, no matter how sophisticated the software has to be. Anything that requires some hardware (TPM, HSM, Smartcard that doesn't reveal keys, etc.) is possession. I don't like that companies tell us they have 2FA when they just use some softtokens or certificates - that's no 2FA for me. Can we add some chapter about this confusion, different opinions or whatever to this article? --184.108.40.206 (talk) 09:07, 17 April 2014 (UTC)
Was the merge approved or not? The Two factor authentication article says in the lede that it's also called 2FA, but 2FA redirects to Multi-factor authentication.Timtempleton (talk) 19:00, 9 March 2015 (UTC)