Talk:Multi-factor authentication: Difference between revisions

Merge two-factor authentication into multi-factor authentication

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

The article for two-factor authentication describes all three authentication categories in detail. When I'm looking at the article for multi-factor authentication, what I'm really looking for is the information in two-factor authentication. "Two factor" simply refers to using two out of three, nothing more, thus the articles should be merged. Anongork (talk) 20:23, 1 October 2012 (UTC)

• Agree. I understand that the two are different, but the difference can be explained in the MFA page. They are sufficiently similar that much of the same content applies to both, and writing two pages about them is redundant. Andrew (talk) 15:49, 27 November 2012 (UTC)
• Strongly agree. This is a textbook case of concepts best treated together (like left handed and right handed). Besides the two-/multi- issue, "two-factor authentication" is a much more common term than "two-step verification." Check these searches of Ars Technica articles: 49 hits for "two-step verification" v. 671 for "two-factor authentication".—Neil 21:30, 6 February 2014 (UTC)
• Note. The following relevant discussion took place on Talk:Two-step verification. I've adding a notice directing further comments here. —Neil 23:44, 28 February 2014 (UTC)

• This page should not really exist, and the "Two factor authentication" stub certainly should not redirect here (it should got to "multi factor authentication" instead). "Two step" is the promotional name google gave to their solution. 2FA is what the industry call this, not "two step". — Preceding unsigned comment added by 120.151.160.158 (talk) 00:33, 9 November 2013 (UTC)
  • Agree. This page reads more like an ad for Google; one would think that Google invented this technology and that all others listed in the bulleted list came after. I daresay none of those listed use "Two-step verification", but rather "Two-Factor Authentication". If anything, Google should be a bullet on a page listing Two-Factor Authentications.Alphaman (talk) 21:28, 3 January 2014 (UTC)
  • Disagree. It appears that all those entities in the list given claim that they are using "Two-step verification". So there is definitely a place for this article in Wikipedia. It was definitely not intended as an advertisement for Google. If it sounds that way, could it be edited to make it look more neutral? Krishnachandranvn (talk) 01:31, 10 February 2014 (UTC)
  • Agree (partially). "Two factor authentication" stub certainly should not redirect here. However two-step verification is not the same thing as -- or even a googleism for -- two factor authentication. Two-step authentication simply involves "two steps", even if both of these are the same factor. For example, entering a PIN and using a software token constitutes two-step authentication but not two-factor authentication. 173.228.119.252 (talk) 21:36, 18 February 2014 (UTC)

• Strongly disgree. It should be easily intelligible, that a timely sequential process as with two dependent subsequent steps is different from a modally twofold process with two logically independent and different and liberately used factors in one context.Wireless friend (talk) 09:50, 25 May 2014 (UTC)Wireless friend (talk) 23:37, 19 July 2014 (UTC)
  • Akward. Two hands from two persons are much different from two hands of one person. Logic is more complicated than just counting.Wireless friend (talk) 23:41, 19 July 2014 (UTC)
• Agree - They are the same. Look at the words. One-Factor. Two-Factor, Multi-Factor. If someone wishes to put up pages that describe how the FFIEC, or other US Institutions, defines factors and MFA or TFA that is fine, and I encourage them to proceed. But in the real world, the MFA and TFA are the same. — Preceding unsigned comment added by Jwilleke (talk • contribs) 09:02, 26 October 2014 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

merge

I suggest merging the "strong authentication" and "two-factor authentication" articles into the "multi-factor authentication" article. These three things are similar enough that one article can cover all three things, and also clearly point out the subtle but important differences between them. I would also support merging all three into an article titled "authentication factor". --68.0.124.33 (talk) 18:21, 2 November 2009 (UTC)

--208.67.168.71 (talk) 14:25, 7 July 2011 (UTC) Northox: I believe it should all be merged in Strong Authentication since Multi-Factor Authentication (which include Two-Factor Authentication) is the technique used to implement Strong Authentication requirements.

Multi-factor authentication is not synonymous with two-factor authentication

Multi-factor authentication can use more than two factors. It can use all the three factors (knowledge, possession, body properties). MFA is a more general term than TFA. --pabouk (talk) 09:03, 3 November 2009 (UTC)

I too want to be on record that Multi-factor authentication is not synonymous with two-factor authentication as MFA is more general than TFA. Wikiold1 (talk) 04:20, 31 December 2009 (UTC)

I agree. Still, I thing that articles should be merged. 82.117.194.34 (talk) 13:34, 22 January 2010 (UTC)

No, they aren't synonymous, but 2FA is a subset of MFA. There is nothing in the 2FA page that isn't also in the MFA page, you can't describe MFA without describing 2FA in the process, and there is nothing about MFA that makes it more difficult or complicated to explain than 2FA. No matter how you write the articles, a 2FA article will be completely redundant. I agree that these pages should be merged. Pavon (talk) 22:04, 19 November 2014 (UTC)

TFA is not the same as MFA

From a risk and security perspective, Two factor is not the same as multi-factor. Two factor is just username and password which, from a security perspective, is not a high enough level and can be easily cracked. Multi factor is usually 3 items such as username, password and pin code or biometric. —Preceding unsigned comment added by 151.151.109.12 (talk) 18:29, 6 May 2010 (UTC)

• Everything you said depends on circumstance or is just simply wrong. -- 14:32, 26 May 2010 (UTC) —Preceding unsigned comment added by 194.107.24.10 (talk)
• Just simply wrong. "Username" is not a factor. Username and password is single factor authentication. RandyFranklinSmith (talk) 20:48, 14 July 2010 (UTC)
  • Quite right. The username is the identification -- the claim to the identity. The (secret) password is the additional input to the authentication process, used to prove that the identification is correct. And as to the security level of that, it depends entirely on the complexity of the password, and the degree to which it is independent of the identity (and perhaps a few things more). But I also think the article should not mention 'something the user knows' in the context of username, as this simply adds to the confusion between the identification and the factors used to decide if the identification is correct. Athulin (talk) 08:51, 30 July 2010 (UTC)

• • TFA is username/password and something else --- the username/password is considered 1 factor.

--208.67.168.71 (talk) 14:40, 7 July 2011 (UTC)

• Northox: Not it's not. Factors can only be three things: "something you known"/password/pin/passphrase, "something you have"/token, "something you are"/biometric. A username is not a factor. It a public identifier. Using only a password is One-Factor Authentication. While using a password a Token and a PIN to unlock the token is: something you have and two times something you known. Some people consider this as being Three-Factor Authentication but it's not, if we refer to the intent of the factors: "From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.". I personally like to refer to this has Type 112 authentication in regard with NCSC-TG-017 types (two times type 1 (something known) and one type 2 (something you have))

• In the real world, 2FA is part of MFA. In fact there are no "standards" that in general cover implementations of MFA. Further, the Factors are NOT as specific as spelled out in the article. MFA could involve a username/password, and a pin and verification of an image. ONLY in the world of FAS are they specifically spelled out and if someone wishes to do pages on FAS standard NCSC-TG-017, then that would be fine. In the rest of the world, 2FA and MFA is not so precise. — Preceding unsigned comment added by Jwilleke (talk • contribs) 08:37, 26 October 2014 (UTC)

No 'theory' or 'model' of n-factor authentication?

It seems to me that someone must have formulated a model and requirements somewhere -- on the lines of database normalization rules, say. If that has been done, it should be pretty clear that two-factor authentication is just a special case of multi-factor authentication, and it would probably help a lot in clearing up mistakes such as thinking that the identity is a factor, and not what is to be proved.

Such a model should probably have one main input (the identity to be proved), the different 'factors' that are used in that proof as additional inputs, and one output (TRUE/FALSE) indicating if the authentication was successful or not. There must be additional requirements -- taking the inspiration from database normalization, it seems pretty clear that the 'factors' should be independent of each other and the identity (and perhaps also 'the world at large') if the authentication should be any good. In that kind of model a two-factor authentication is a process that needs two 'factors' as additional input for the decision.

And such a model should probably also help clarify some smart-card based authentication models. For instance, the model where user enters an identity, and then inserts a smart card, which, in turn, requires a PIN code to generate the additional 'factor', is obviously single factor authentication, as the decision if the stated identity is correct is based on one single factor. The PIN code is not used in that decision at all but another, unrelated, one -- it's more of a 1+1 situation.

But surely something like this must have been done?Athulin (talk) 08:51, 30 July 2010 (UTC)

• Out-of-Band solutions are at least two-factor and much more secure because of the multitude of systems that must be compromised in order to gain access...but all of these conversations would be moot if the customer Access Point was secure in the first place. Which will require customer education and certain controls the bank needs to have on customer APs that access their core network; such as DNS restriction, approved A-V programs, and patch updating. — Preceding unsigned comment added by 76.25.253.214 (talk) 17:39, 12 July 2011 (UTC)

"True" multifactor on the internet: isn't this a distinction without a difference?

Most of the examples given for "something the user is" and "something the user has" are facts the bank can't directly verify over an internet connection. When I log into my bank's website using a card number and password, the bank doesn't know that I "have" the card, just that I know the card number (in fact, many times I don't have the card: I have the number memorized, making it no different from a username). Even for fingerprints, the bank wouldn't really know that I had that fingerprint. They would only know that I had some input device that was capable of producing the same sequence of bits that scanning my fingerprint produces, which is not at all difficult, if you know what sequence of bits to copy. I can see how this works if the bank controls all the hardware, but in the context of online banking, how is n-factor authentication better than having n different passwords of equivalent length & entropy? AFAICT they're not any more resistant to phishing or packet-sniffing. (More resistant to being written on a sticky note, sure, but very few hackers actually do home visits.) A major downside I can think of is that card numbers are more of a hassle to change if compromised, and fingerprints are not only (reasonably) impossible to change, but must be reused between different service providers. I think it would help the article if someone could explain why multifactor is harder to compromise. Is it just that typically, real-world passwords are not as long/random? Or is there something else? --24.87.152.127 (talk) 01:41, 6 November 2012 (UTC)

Two-factor vs two-step

I'd just like to point out that true two-factor authentication requires both factors simultaneously. By comparison, Google's "2-step" authentication requires each factor in sequence and thus is less secure. This is because an attacker gets feedback regarding the correctness of the first factor before having to provide the second. In true two-factor authentication the attacker gets no feedback until both factors have been supplied correctly. The weakest of all is asking for two factors but only requiring one, i.e. "Provide your password OR your ID card".

In terms of security, they rank as follows from most secure to least secure:

1. Two-factor authentication
2. Two-step authentication
3. Single-factor authentication
4. Either/Or authentication

--JHP (talk) 13:38, 19 April 2013 (UTC)

Re: "Social Network Factor" - Please do not add unapproved factors to this article

"Social Network Factor" is not a factor recognized or approved by the FFIEC or any regulatory body. There are three factors approved by the FFIEC and only these three factors are defined in CJIS, FFIEC, HIPAA, and other regulatory guidelines. These three factors are "Something the user knows", "Something the user is", and "Something the user has". Adding other possible factors, such as "someone the user knows", simply confuses individuals who are reading this article in order to comply with regulatory requirements. You might just as easily make up factors such as "Something the user does", "Something the user smells", or "Someplace the user visits". While they may possibly work as authentication factors, they are not approved by the regulatory agencies whose compliance the reader may be attempting to satisfy. — Preceding unsigned comment added by 70.162.149.36 (talk) 15:32, 16 July 2013 (UTC)

This page is titled "Multifactor Authentication" and it describes and discusses the 3 authentication factors identified with Homeland Security Presidential Directive 12 (HSPD-12), the FFIEC's numerous publications, CJIS guidelines, and publications of other government entities. These 3 factors are specifically identified by these agencies, who are tasked with auditing private industry for adherence to these 3 factors. Permitting the addition of spurious "other" factors to be added to this page only confuses readers wishing to learn about the 3 approved authentication factors. While there may be other forms of authentication, such as "someone the user knows", "someplace the user visits", or "something the user smells", these other forms of authentication have not been approved or recognized by the regulatory agencies, whose compliance the reader must satisfy. A vendor or lab promoting these other factors will not help a bank or hospital who must satisfy federal regulators who wish to see compliance within the 3 approved authentication factors. If you wish to talk about other authentication factors, you should do so on another Wikipedia page not related to "Multifactor authentication". — Preceding unsigned comment added by 70.162.149.36 (talk) 00:35, 17 July 2013 (UTC)

Additional from the article's background header: "The U.S. Federal Financial Institutions Examination Council issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors." — Preceding unsigned comment added by 70.162.149.36 (talk) 00:40, 17 July 2013 (UTC)

Dead Link Replacement

Reference 10 is a dead link. It should be replaced by a link to http://www.dhs.gov/homeland-security-presidential-directive-12. I do not know how to edit the link. Would someone please fix it?—Gggustafson (talk) 16:06, 8 October 2013 (UTC)

Examples

Evan Hahn has compiled the most extensive list of sites that offer TFA or MFA that I have seen. It is located here: http://evanhahn.com/tape/two-factor-auth-list/ — Preceding unsigned comment added by 50.113.51.131 (talk) 20:23, 10 December 2013 (UTC)

Under construction

There is no need to report what is missing on this page as long as under construction. Thank you.Wireless friend (talk) 08:07, 12 May 2009 (UTC)

On compromised smartphones

Under the SMS section, should there be a discussion about what happens if the user's smartphone is compromised (hacked)? E.g., I rely on two 2-factor authentication services. Both use SMS tokens. If my smartphone was compromised, I assume the attacker could perform keylogging when I enter my password (e.g. through the browser), then log in at a later time while hiding the SMS token it received. If this attack is done through a trojan I assume it could affect users in bulk. Would e.g. Google's current security scheme be able to prevent this scenario? Bjornte (talk) 07:59, 19 March 2014 (UTC)

Knowledge and Possession confusion - chapter missing

There's a big confusion in what is knowledge and what is possession. In my opinion, everything that can get easily copied is knowledge. It doesn't matter if this is a 5-character password or a 10-page long certificate. Length shouldn't matter, so both are knowledge. The same applies to soft-tokens and all that related stuff. Even smartcards, as long as you can read the content, are knowledge. And for RSA tokens (and similar) they are knowledge if you know the seed value and the used algorithm. If we compare that to the traditional possession factor, a physical key to a lock, we can also copy it when we know the specifications of the holes etc, so my argument about knowledge has to be taken carefully. I think the difference is that we are mainly talking about IT systems and anything there that can be copied by software is knowledge, no matter how sophisticated the software has to be. Anything that requires some hardware (TPM, HSM, Smartcard that doesn't reveal keys, etc.) is possession. I don't like that companies tell us they have 2FA when they just use some softtokens or certificates - that's no 2FA for me. Can we add some chapter about this confusion, different opinions or whatever to this article? --193.134.254.26 (talk) 09:07, 17 April 2014 (UTC)

Suggested merge?

Was the merge approved or not? The Two factor authentication article says in the lede that it's also called 2FA, but 2FA redirects to Multi-factor authentication.Timtempleton (talk) 19:00, 9 March 2015 (UTC)

I have fixed that redirect (and a bunch of others). It doesn't look like the merge discussion was ever completed. I will try to restart it. ~Kvng (talk) 14:29, 8 July 2015 (UTC)

Merge again

Reading through the talk pages there seems to be general appreciation that Two-factor authentication is an instance of Multi-factor authentication and there was consensus to merge the two in the past. The merge appears have been undone in April 2014 for reasons unknown. I think coverage would be improved if the two articles were merged. I believe, despite the fact that the overall topic could be technically best described as Multi-factor authentication, the methods are most widely known as Two-factor authentication so that might be the best title for the merged article. ~Kvng (talk) 14:42, 8 July 2015 (UTC)

• I strongly disagree with merging. Both articles are relevant. However, we definitely need to improve the content. The article on two factor authentication reads more like an advertisement for one company than a stub. I suggest we all contribute with valuable sources to their improvement and make sure that they both make sense. ScienceGuard (talk) 07:04, 20 July 2015 (UTC)

@ScienceGuard: do you have an explanation for why both articles are "separately relevant"? Is there a fundamental different between 2-factor, 3-factor, 4-factor and n-factor authentication? No one is proposing deleting any content. The proposal is to move all content to a single article. Readers will still quickly find this information when searching for "Two-factor authentication" or "Multi-factor authentication". ~Kvng (talk) 14:33, 20 July 2015 (UTC)

Merge

I would be for merging the articles. Two-factor and multi-factor are used very interchangeably in IT security today. It makes sense to consolidate these. Some of the information on the "two-factor" page is inaccurate and is much better represented on the "multi-factor" page so I would suggest a review of which content from the "two-factor" page makes sense to include in the merged article. — Preceding unsigned comment added by Khade72 (talk • contribs) 22:10, 30 July 2015 (UTC)

External links modified

Hello fellow Wikipedians,

I have just added archive links to one external link on Multi-factor authentication. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

• Added archive https://web.archive.org/20120916062033/http://hspd12.usda.gov:80/about.html to http://hspd12.usda.gov/about.html

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—^{cyberbot II}_{Talk to my owner:Online} 01:37, 28 January 2016 (UTC)

Edit war

Hi 120.151.160.158 (talk · contribs · WHOIS) and David.moreno72 - I've stumbled across this article, and notice the ongoing edit war. It would be easier and less disruptive to openly discuss what's going on. As I see it, the "blog" source being used by 120.151 is written/hosted by the subject in question (Bruce Schneier) and really should not be used to back up a claim (see WP:RS and WP:SELFPUBLISH for more). -- samtar ^{talk or stalk} 13:13, 1 May 2016 (UTC)

Wikipedia rules state this is acceptable when the party in question is a reliable expert in the subject matter, as is Bruce here. — Preceding unsigned comment added by 120.151.160.158 (talk) 14:19, 1 May 2016 (UTC)

Obsolescence Warring

Bruce Schneier talks extensively about the failure of MFA/2FA in his online "blogs", at conferences during webcasts, and in his books: https://www.google.com.au/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=schneier+books+

His books are for sale - I can't link to the text in them because it's on paper.

Wikipedia has multiple Exceptions for accepting these online blogposts from experts like Bruce - see some here:

• See: https://en.wikipedia.org/wiki/Wikipedia:Identifying_reliable_sources#Self-published_sources_.28online_and_paper.29

• Some news outlets host interactive columns they call "blogs", and these may be acceptable as sources if the writers are professional journalists or professionals in the field on which they write

• Self-published material may sometimes be acceptable when its author is an established expert whose work in the relevant field has been published by reliable third-party publications. — Preceding unsigned comment added by 120.151.160.158 (talk) 13:16, 1 May 2016 (UTC)

@120.151.160.158: The site you are referencing is definitely not a "news outlet". Please provide some evidence that this person is "an established expert whose work in the relevant field has been published by reliable third-party publications." Additionally, I do not refute the fact this person is a subject expert IP, however I think better sources exist - providing one will help solve this dispute and get us all back on track to improving the article -- samtar ^{talk or stalk} 13:19, 1 May 2016 (UTC)

Could you both refrain from editing whilst discussing this? You're both either over or just at the Three Revert Rule -- samtar ^{talk or stalk} 13:22, 1 May 2016 (UTC)

There is a difference between a failure of a technology and it's alleged 'obsolescence'. Nowhere in the blog article does it state that the technology is 'obsolete'. I also notice that instead of waiting for a consensus, you have continued to edit war and ignore warnings. Please find a more reliable source that actually unambiguously states that the technology is 'obsolete' before you make any further edits. Thank-you David.moreno72 (talk) 13:28, 1 May 2016 (UTC)

I will add more references. I notice that, even when I added references in the edit summary, the "revert" actions have occurred almost immediately. It's pretty clear that nobody is reading the references!

Obsolete is the correct word. MFA used to work bak in the 80's. Today it has "Failed". That's the dictionary meaning of the term #1 "out of date" *and* #2 "replaced with something new" (i.e. transaction signing) — Preceding unsigned comment added by 120.151.160.158 (talk) 13:46, 1 May 2016 (UTC)

You keep using the same reference, and yes I have read it. Nowhere in it does it state that the technology is 'obsolete'. A reference needs to unambiguously back up the claims made in the edit, that is, it is not inferred or interpreted. If you want to make the claim that the technology is 'obsolete', the actual word 'obsolete' needs to be in the reference. David.moreno72 (talk) 14:01, 1 May 2016 (UTC)

OK Guys - if you still don't like anything, let me know here and I'll fix it. — Preceding unsigned comment added by 120.151.160.158 (talk) 14:09, 1 May 2016 (UTC)

No, you can't edit the article yet. Cite the reliable source here and quote where it says that it is obsolete. David.moreno72 (talk) 14:12, 1 May 2016 (UTC)

Here's one reference to Obsolete: http://www.tripwire.com/state-of-security/security-awareness/are-these-4-security-technologies-on-the-verge-of-becoming-obsolete/ let me know if you need that in the actual article as well as the others. (I'll get some more as well just in case - although it seems a little bit petty to quibble over the use of the word when all the citations convey that *meaning* even if many don't use that exact word) — Preceding unsigned comment added by 120.151.160.158 (talk) 14:14, 1 May 2016 (UTC)

(edit conflict) There's some good discussion going on here, but 120.151 your constant reverting is probably going to get you blocked (see this report) - I would recommend not editing the article again until a consensus is met -- samtar ^{talk or stalk} 14:27, 1 May 2016 (UTC)

We can use a Bruce Schneier source for the statement that Bruce Schneier thinks that something is obsolete, but it's nowhere near strong enough to put that adjective in the opening sentence of the article. Reeling out WP:SYN lists of security breaches and obsolescence quotes isn't any better - it's trivial to find lists of examples where credit card PINs, text passwords, cash money and handwritten signatures are all compromisable and described by a few serious writers as "obsolete", but we would not (yet) open the Coin article with "A coin is an obsolete piece of hard material..." --McGeddon (talk) 14:25, 1 May 2016 (UTC)

If you don't like the word - what else should go there instead? "Obsolete" seems most appropriate on account of the fact it's 30+ years old - that's even older than the web itself! ... but if you prefer something else - I'm all ears. — Preceding unsigned comment added by 120.151.160.158 (talk) 14:27, 1 May 2016 (UTC)