Talk:Two-factor authentication

From Wikipedia, the free encyclopedia

A common example of T-FA is a bank card (credit card, debit card);

My credit card doesn't require the second form of authentication so it's just "something you have"

Credit cards do utilize T-FA. The second factor is your signature, which is rudimentary biometric authentication. (of course, it's not like anybody checks signatures any more...)

Contents 1 another one-factor issue 2 an additional authentication factor 3 other factor: password calendar? 4 Getting rid of ads 5 Why "Two Factor" and not "Multi-factor" or even "Strong" Authentication 6 in need of attention from an expert on the subject

[edit] another one-factor issue

the article also shows another example of T-FA:

>> IBM's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.

>Fingerprint is something you are. Unless it also requires a password or a token, (and I don't think it does) then this is not T-FA, it's O-FA.

reference: http://www.schneier.com/crypto-gram-0205.html Your fingerprint is not always something that YOU are, it may be something that someone else can be. Please see the section titled "Fun with Fingerprint Readers".

Some people claim that various biometrics are 'something that you are' seperate from keys/tokens which are 'something that you have'. Though some measures are more difficult to alter/copy/steal, it is not overly difficult to obtain a finger from someone else. They may be unhappy if you cut it off, but that does not make it impossible.

I Agree - the Thinkpad is clearly a case on O-FA and as a result I think it should be removed. Perhaps in general we should clearly list in these examples which TWO factors are shown in this example ... ie for SecureID - the 2 factors are something you have (the Token) and something you know (a password which is also required)

[edit] an additional authentication factor

Research is ongoing into a fourth authentication factor, "Something you do". This method of authentication works by identifying a common activity pattern or specific personal nuances of a user. Examples include identifying computing users by the way they type or move the mouse, and cellular mobile phone users by their waking/sleeping activity cycles.

---

Sounds a bit like Biopassword. But wouldn't that still be inclusive of biometric? Typing, mouse movement and waking/sleeping cycles are all biologically-based. B.K. 16:02, 20 October 2006 (UTC)

---

That's exactly how this has been classified in my involvement with biometrics. "something you do" is the same as "something you are", because you 'are' the entity that 'does' whatever it is you are measuring. I would as soon consider things along the lines of "where you are" (geolocation) or "when you are" (time based access)...but these are actually parameters that can be used to determine authorization, not necessarily Authentication. No, I disagree that there even is a 4th factor; I haven't heard anyone smart enough to come up with one yet. - jglide 20:20, 31 January 2007 (UTC)

[edit] other factor: password calendar?

My bank (CIC, a French bank) is using a password calendar in addition to my regular password. Basically, the password calendar comes a paper sheet (send by postal mail) where each day is associated to a particular password (the calendar is user-specific).

This is a case of the "something you have" sort of authentication, although it can be considered to be a hybrid form of that and the "something you know" form. In reality, this is merely a form of S/Key, which is a well-established and relatively old form of rotating password.

[edit] Getting rid of ads

This article is riddled with ads. I suggest we link to one vendor for each medium; USB, CD, biometric, one link to a provider for standard security tokens.

I think the vendor information solutions are helpful - they are to me. However we need to keep an eye on the blurring of lines where a vendor solution defines a technology....such as mobile phones and CAT which is not a standard pe se, it's a vendor product. B.K. 16:04, 20 October 2006 (UTC)

[edit] Why "Two Factor" and not "Multi-factor" or even "Strong" Authentication

The article 'Strong Authentication' redirected to 'Two-Factor' for me recently. I'm not really complaining, but I do think this is a narrow position. Multi-factor is a bit more robust in the description. There is no "Three Factor" article or redirect that I can find, however biometrics (commonly considered 'the third factor' or assumed to mean three-factor authentication) are discussed frequently in this article.

Wouldn't it make more sense to use Strong Authentication as the article name, with the various two and three factor article names pointing to it, and have a discussion about factors, what constitutes a factor, and various descriptions of 'two' and 'three' factor solutions?

I'm willing to put forth some, maybe most, of the effort to do this; I'd guess 90% of this is simply some structure and article linking, the content of the page would remain intact. Thoughts?

- jglide 22:38, 21 January 2007 (UTC)

Why don't we rename "Two-factor authentication" into "Multi-factor authentication" (MFA)? Strong Authentication can be considered as synonymous to MFA, while 2FA and 3FA are examples of implementation of MFA. I can take it a stab at this, I have 6 years experience in this industry.

- cbrehaut 16:23, 23 April 2007 (PST)

T-FA is a popular and mature commercial information encryption technology. If we rename it M-FA, we need to propose such kind of solutions are acceptalbe to all. OTP came to us in 1980' and PKI came in 1990', T-FA is kind of solution based on PKI technology. We have been developing our security technology level and hope to make strong authentication up to M-FA. As I know, there is kind of interactive ePass solution, which based on T-FA but stronger. Since there is another press key on the USB Token, which is designed against things like Trojan Horse. You can check it and hope the actual M-FA come true with your helps. —Preceding unsigned comment added by FTsafe (talk • contribs) 04:10, 1 February 2008 (UTC)

I agree with renaming the article to Multi-factor authentication and explaining Two-factor authentication as a special case of it (there does not need to be many existing implementations as suggested above by User:FTsafe) but I do not agree that there is a commonly respected definition of the term Strong authentication. It is not always used in the sense of Multi-factor authentication and this should be explained in the article. --pabouk (talk) 13:22, 1 February 2008 (UTC)

[edit] in need of attention from an expert on the subject

While this gets many of the fundamentals right there are so many things that are ambiguous or just plain wrong that the whole is worth little.

I'd clean this up myself, but I'm forbidden to by my terms of employment.

--Ant 23:35, 27 January 2007 (UTC)

I would be glad to contribute to the rework of the article, I have expertise on this topic (having worked in this industry for 7 years). I agree it is overall OK but has some mistakes and imprecisions. Not sure if I am allowed to become the expert on this article since I am employed by a vendor in this industry. I would be glad to submit my content to independant reviewers as needed. Let me know what you think.

--cbrehaut 16:25, 23 April 2007 (PST)