Multi-factor Authentication – CompTIA Network+ N10-007 – 4.2

There are many ways to authenticate to a service. In this video, you’ll learn about many common authentication factors.

<< Previous Video: Authorization, Authentication, and Accounting Next: Access Control >>

Most of us are very familiar with logging in to a device and using our username and password. But what if we wanted to provide additional security and require more authentication factors than simply a password? We can do that by using multi-factor authentication. If someone’s using two factors, you’ll sometimes see this called two factor authentication, or 2FA. Some of these authentication factors might be something you are, something you have, something you know, somewhere you are, or something you do.

Although these authentication factors would provide additional security during the authentication process, they could be expensive to implement. For example, you might need to have separate hardware tokens that people are using during the login process. Or maybe you’re installing biometric equipment so someone can scan a fingerprint to gain access to a room. Some of these multi-factor authentications are inexpensive. They could be an app that runs on a smartphone, for example, making it very easy to be able to install and use additional authentication factors.

One of the most common authentication factors is something you know. And one of the most common somethings that you know is a password. This would be a secret word or a secret phrase that you use along with your username to gain access to a resource. We might also use a PIN as something we know, which is a Personal Identification Number. If you’re getting money from an ATM or you’re using a smart card, you’re often asked to input a Personal Identification Number, and if you unlock your mobile device using a swipe pattern, that swipe pattern is a good example of something you know.

Another good way to authenticate access is to require that a user have something with them. This is something you have. A good example might be a smart card. So you would plug a smart card into a computer and provide a Personal Identification Number. And obviously, you would be the only person who happens to have that smart card.

Some organizations might put a certificate on a USB key. And that certificate is something that only you would have, and you would have to use that USB key during the authentication process.

Another good example of something you have is a pseudo random code that could be provided on a piece of hardware, like the dongle we have here. We can see the code of 233521. You would put in your username and your password, and it usually prompts you for the code that happens to be on this particular token. There are also a number of software-based tokens that you can get for your mobile devices. So as long as you have your phone with you, you can authenticate with that particular code.

And another example of having your mobile phone as something you have would be an SMS message or a text message sent to your phone that might have that code inside of it that you would use during that login process.

If we extend these authentication factors down to a person themselves, we’re using a factor of something you are. This could be something like a fingerprint, an iris scan, or a voiceprint. These are not usually storing a picture of your fingerprint or your iris, but are instead creating a mathematical representation of what you happen to be. And they’re storing that information to be able to reference later.

These types of authentication factors would be very difficult to change. Our password is an authentication factor we can change often, but our fingerprint is a type of authentication factor that should rarely change.

When these types of authentication factors are working properly, they can provide very high security, because no one else has your iris and no one else has your fingerprint. But these biometric readers are not always foolproof, so they should not be considered the only factor you would use for authentication.

Another useful authentication factor might be a geographical location of where someone happens to be. This factor is somewhere you are. so we would need some way to determine where you happened to be during that login process. One way to find out where someone might be is to look at their IPv4 address.

We know that the IPv4 addresses aren’t a perfect representation of geography, but they might get you a little closer to knowing what country someone might be in. Unfortunately, the large address space with IPv6 doesn’t give you the granularity you might have with IP version 4.

Many of the devices we’re carrying around have a GPS, which means we can get very detailed information of where someone might be. You need to be in an area that can at least receive the communication from the GPS satellites, or at least you need to be able to triangulate against ground-based systems. This triangulation may not provide an exact location of where a user happens to be, but it might be close enough to make a decision for authentication purposes.

And the last authentication type we’ll look at is something you do. This would be something that you do that is very unique to you. No one else would be able to duplicate. For example, a signature is something that’s very unique to a person, and we have handwriting analysis that can examine the technique between two signatures to determine if it’s the same person. Or perhaps our typing style itself is something that’s examined, to see if the same type of style is being used between different logins. This is very similar to biometrics, which is something you are, but something you do is external to the person. So if we’re signing something or typing on our keyboard, this would be something that we do.