An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access to online resources. User authentication for most web sites and services today is accomplished by means of a single authentication factor: a password. Where a higher level of assurance is required (e.g. for access to on online banking service), a second factor is typically employed in addition to the password – hence “two factor authentication” (also called “multi factor authentication” or "strong authentication").
There are three main types of authentication factor:
knowledge factors – e.g. passwords, PINs;
possession factors – e.g. ID cards, tokens;
human factors (aka biometrics) – e.g. fingerprints, iris scans.
Some security practitioners argue that “true” two factor authentication requires two distinct types of factor; however, this is just a matter of semantics. There is nothing inherently less secure about using two factors of the same type.
Who needs two factor authentication?
Passwords alone provide very poor security. They can be guessed, phished and hacked and are clearly inadequate to protect high value online services such as Internet banking. Indeed, the Federal Financial Institutions Examination Council (FFIEC – the body responsible for promoting uniformity in the supervision of US financial institutions) has mandated two factor authentication for consumer online banking services.
Compliance is also driving adoption of two factor authentication in other areas – for example, the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, where the important issue is the confidentiality of user data (patient records). And as more and more of our personal information goes online, privacy – and the threat of identity theft – is increasingly an issue in applications as diverse as gaming and dating and as common as Facebook.
Further requirements for two factor authentication include: protection of company confidential data (e.g. customer information on salesforce.com), controlling access paid-for content (e.g. music/video downloads from iTunes) and, perhaps most importantly, demonstrating due care to customers and users.
Two way authentication is equally important
Phishing is one of the most prevalent attacks on the Internet today and a primary enabler for fraud and identity theft. And the increasing sophistication of the phishers makes it very difficult for users to distinguish between genuine and fake sites. Thus, it is just as important to be able to authenticate the site to the user as it is to authenticate the user to the site. Where site-to-user and user-to-site authentication are combined, it is known as “two way authentication” or “mutual authentication” or even “bidirectional authentication”.
Passfaces two way, two factor authentication
Passfaces patented graphical password technology is unique in providing both two factor authentication and two way authentication in a single process. Passfaces also provides a comprehensive combination of other benefits – including security, usability, portability, ease of deployment, reliability and low cost – that makes it a compelling choice of two factor authentication system.
Passfaces capitalizes on the universal human ability to remember and recognize faces and is completely intuitive to use – independent of age, language, education and culture. Although Passfaces is essentially a knowledge (authentication) factor, it is based on recognition – of familiar faces – rather than recall (as with a password or a PIN). Recognition is the most powerful form of memory: a part of the human brain is dedicated to the process and it takes us only 20 milliseconds to recognize someone we know. It seems that familiar faces are “hard-wired” in our brains – which, as well as making Passfaces extremely reliable (people never forget a familiar face), causes Passfaces to exhibit some characteristics of a biometric or human authentication factor.
Passfaces two factor authentication is implemented entirely in server-side software with a user interface that works in any web browser. There are no tokens for users to lose or forget, no client software to install and no “crypto-cookies” to tie the user to a single machine. Passfaces leverages existing password infrastructure and requires no additional servers or databases; furthermore, Passfaces can be fully deployed in a Web environment within a few days rather than the weeks or months required by more complex alternatives.