Talk:Two-factor authentication: Difference between revisions

A common example of T-FA is a bank card (credit card, debit card);

My credit card doesn't require the second form of authentication so it's just "something you have"

Credit cards do utilize T-FA. The second factor is your signature, which is rudimentary biometric authentication. (of course, it's not like anybody checks signatures any more...)

another one-factor issue

the article also shows another example of T-FA:

>> IBM's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.

>Fingerprint is something you are. Unless it also requires a password or a token, (and I don't think it does) then this is not T-FA, it's O-FA.

reference: http://www.schneier.com/crypto-gram-0205.html Your fingerprint is not always something that YOU are, it may be something that someone else can be. Please see the section titled "Fun with Fingerprint Readers".

Some people claim that various biometrics are 'something that you are' seperate from keys/tokens which are 'something that you have'. Though some measures are more difficult to alter/copy/steal, it is not overly difficult to obtain a finger from someone else. They may be unhappy if you cut it off, but that does not make it impossible.

I Agree - the Thinkpad is clearly a case on O-FA and as a result I think it should be removed. Perhaps in general we should clearly list in these examples which TWO factors are shown in this example ... ie for SecureID - the 2 factors are something you have (the Token) and something you know (a password which is also required)

an additional authentication factor

Research is ongoing into a fourth authentication factor, "Something you do". This method of authentication works by identifying a common activity pattern or specific personal nuances of a user. Examples include identifying computing users by the way they type or move the mouse, and cellular mobile phone users by their waking/sleeping activity cycles.

---

Sounds a bit like Biopassword. But wouldn't that still be inclusive of biometric? Typing, mouse movement and waking/sleeping cycles are all biologically-based. B.K. 16:02, 20 October 2006 (UTC)

---

That's exactly how this has been classified in my involvement with biometrics. "something you do" is the same as "something you are", because you 'are' the entity that 'does' whatever it is you are measuring. I would as soon consider things along the lines of "where you are" (geolocation) or "when you are" (time based access)...but these are actually parameters that can be used to determine authorization, not necessarily Authentication. No, I disagree that there even is a 4th factor; I haven't heard anyone smart enough to come up with one yet. - jglide 20:20, 31 January 2007 (UTC)

---

Note: federal regulators have repeatedly rejected "something you do" as a legitimate second factor. The FFIEC and the FDIC have clarified repeatedly that there are only THREE authentication factors they consider acceptable for multi-factor authentication (something you know, have, and are). Unfortunately, some security vendors whose products fail to meet the regulatory definition of multi-factor authentication have been promoting their user profiling and other "something you know" products as valid MFA products. Such approaches are fine, in and of themselves, but they do NOT satisfy regulators when they are reviewed in terms of MFA compliance. Just FYI...

other factor: password calendar?

My bank (CIC, a French bank) is using a password calendar in addition to my regular password. Basically, the password calendar comes a paper sheet (send by postal mail) where each day is associated to a particular password (the calendar is user-specific).

This is a case of the "something you have" sort of authentication, although it can be considered to be a hybrid form of that and the "something you know" form. In reality, this is merely a form of S/Key, which is a well-established and relatively old form of rotating password.

Getting rid of ads

This article is riddled with ads. I suggest we link to one vendor for each medium; USB, CD, biometric, one link to a provider for standard security tokens.

I think the vendor information solutions are helpful - they are to me. However we need to keep an eye on the blurring of lines where a vendor solution defines a technology....such as mobile phones and CAT which is not a standard pe se, it's a vendor product. B.K. 16:04, 20 October 2006 (UTC)

Why "Two Factor" and not "Multi-factor" or even "Strong" Authentication

The article 'Strong Authentication' redirected to 'Two-Factor' for me recently. I'm not really complaining, but I do think this is a narrow position. Multi-factor is a bit more robust in the description. There is no "Three Factor" article or redirect that I can find, however biometrics (commonly considered 'the third factor' or assumed to mean three-factor authentication) are discussed frequently in this article.

Wouldn't it make more sense to use Strong Authentication as the article name, with the various two and three factor article names pointing to it, and have a discussion about factors, what constitutes a factor, and various descriptions of 'two' and 'three' factor solutions?

I'm willing to put forth some, maybe most, of the effort to do this; I'd guess 90% of this is simply some structure and article linking, the content of the page would remain intact. Thoughts?

- jglide 22:38, 21 January 2007 (UTC)

Why don't we rename "Two-factor authentication" into "Multi-factor authentication" (MFA)? Strong Authentication can be considered as synonymous to MFA, while 2FA and 3FA are examples of implementation of MFA. I can take it a stab at this, I have 6 years experience in this industry.

- cbrehaut 16:23, 23 April 2007 (PST)

T-FA is a popular and mature commercial information encryption technology. If we rename it M-FA, we need to propose such kind of solutions are acceptalbe to all. OTP came to us in 1980' and PKI came in 1990', T-FA is kind of solution based on PKI technology. We have been developing our security technology level and hope to make strong authentication up to M-FA. As I know, there is kind of interactive ePass solution, which based on T-FA but stronger. Since there is another press key on the USB Token, which is designed against things like Trojan Horse. You can check it and hope the actual M-FA come true with your helps. —Preceding unsigned comment added by FTsafe (talk • contribs) 04:10, 1 February 2008 (UTC)

I agree with renaming the article to Multi-factor authentication and explaining Two-factor authentication as a special case of it (there does not need to be many existing implementations as suggested above by User:FTsafe) but I do not agree that there is a commonly respected definition of the term Strong authentication. It is not always used in the sense of Multi-factor authentication and this should be explained in the article. --pabouk (talk) 13:22, 1 February 2008 (UTC)

in need of attention from an expert on the subject

While this gets many of the fundamentals right there are so many things that are ambiguous or just plain wrong that the whole is worth little.

I'd clean this up myself, but I'm forbidden to by my terms of employment.

--Ant 23:35, 27 January 2007 (UTC)

I would be glad to contribute to the rework of the article, I have expertise on this topic (having worked in this industry for 7 years). I agree it is overall OK but has some mistakes and imprecisions. Not sure if I am allowed to become the expert on this article since I am employed by a vendor in this industry. I would be glad to submit my content to independant reviewers as needed. Let me know what you think.

--cbrehaut 16:25, 23 April 2007 (PST)

If there are any suggestions you or any expert would like to submit, you are perfectly entitled to edit the article. You may, if you prefer, suggest changes here (or just highlighting what is wrong would be a help). Neıl 龱 13:09, 25 June 2008 (UTC)

virtual tokens

Someone seems to keep trying add a link to a product called PhishCops which also features in the article. The description of the technology available from the website of the company is vague and technically insufficient to warrant a mention on Wikipedia. It also smells like a scam. Basically, it promises to be more secure than traditional password-logins but without relying on any extra client-side software or hardware. It compares itself with hardware tokens and claims to be an improvement over them.

I'm removing it from the article now. Please keep an eye out for it magically reappearing. --83.89.0.118 (talk) 02:43, 28 June 2008 (UTC)

Flawed

I didn't post the tag but I'll comment here.

• Relatively technical topics (I know, this isn't the least bit technical in comparison to something like X-ray crystallography, but bear with me) absolutely need a concise and entry level lead per WP:LEAD. I see there is a "summary" right below the lead--that could probably be merged up to help make a better lead.
• Subsections should proceed from general information to specifics. The second sentence in the Two-factor authentication methods section should not be on an RSA paper using social networking as a fourth factor.
• History (if possible) should be found on the topic and used to give it some depth to the general reader.
• Some references should be cited.

Other than that it appears to be a relatively direct and factual article. Like I said, I didn't post the tag, but I saw the request for clarification on the poster's talk page so I figured I would offer mine. Protonk (talk) 18:09, 9 December 2008 (UTC)